How to create break glass account in M365 tenant? What are the best practices and what all are the prerequisites for the same?

Vinod Survase 4,716 Reputation points
2023-04-12T13:42:32.5466667+00:00

How to create break glass account in M365 tenant? What are the best practices and what all are the prerequisites for the same? I have gone through this document but its bit not clear as I created account and its still required MFA but as per this document we should not use Azure AD MFA and we should use different form of authentication which is outside the M365 tenant or may be third party solution. https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access Can anyone help here and make this clear?

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,982 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,897 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 142.8K Reputation points MVP
    2023-04-12T14:58:05.52+00:00

    Hi, you need to exclude the BreakGlass from MFA. That is required in case MFA is somehow broken or the other Admins in your tenant do not have access to their devices. Excluding from MFA means authentication is by password only, so secure the credentials and ensure they are complex so it cant be easily guessed. If you are monitoring signins, be sure to monitor and report any usage by this account as well.

    https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies User's image

    1 person found this answer helpful.

  2. Andy David - MVP 142.8K Reputation points MVP
    2023-04-13T11:19:23.62+00:00

    Hi, use an existing Global Admin Account and follow these steps: https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access#how-to-create-an-emergency-access-account Then exclude this new account from your conditional access policy under users in the policy that enforces MFA: Add the breakglass account here User's image

    1 person found this answer helpful.