How to create break glass account in M365 tenant? What are the best practices and what all are the prerequisites for the same?

Vinod Survase 4,726

How to create break glass account in M365 tenant? What are the best practices and what all are the prerequisites for the same? I have gone through this document but its bit not clear as I created account and its still required MFA but as per this document we should not use Azure AD MFA and we should use different form of authentication which is outside the M365 tenant or may be third party solution. https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access Can anyone help here and make this clear?

Sandeep G-MSFT 16,696 Reputation points Microsoft Employee

2023-05-02T06:15:12.73+00:00

@Vinod Survase

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

2 answers

Andy David - MVP 145.6K Reputation points MVP

2023-04-12T14:58:05.52+00:00

Hi, you need to exclude the BreakGlass from MFA. That is required in case MFA is somehow broken or the other Admins in your tenant do not have access to their devices. Excluding from MFA means authentication is by password only, so secure the credentials and ensure they are complex so it cant be easily guessed. If you are monitoring signins, be sure to monitor and report any usage by this account as well.

https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies
Please sign in to rate this answer.

1 person found this answer helpful.
Vinod Survase 4,726 Reputation points

2023-04-13T08:36:25.3066667+00:00

Thanks for answering on this @Andy David - MVP . Could you please share the steps to create as I have gone through this document shared but I am not able to make that account MFA free. What role or privilege's are required to make that happen? As I can see when I try to remove that user from company wide group it says you don't have enough privileges'
Sign in to comment
Andy David - MVP 145.6K Reputation points MVP

2023-04-13T11:19:23.62+00:00

Hi, use an existing Global Admin Account and follow these steps: https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access#how-to-create-an-emergency-access-account Then exclude this new account from your conditional access policy under users in the policy that enforces MFA: Add the breakglass account here
Please sign in to rate this answer.

1 person found this answer helpful.
Vinod Survase 4,726 Reputation points

2023-04-13T12:19:22.6333333+00:00

Thanks for reply @Andy David - MVP I will check this and let you know.

Vinod Survase 4,726 Reputation points

2023-04-13T13:02:05.63+00:00

I tried removing that account from all the CA policies but still its asking for MFA registration while login in. Can you guide me on this? @Andy David - MVP

Andy David - MVP 145.6K Reputation points MVP

2023-04-13T13:05:11.3833333+00:00

If the MFA registration policy is set to all users, you will need to exclude that account from it as well: https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-mfa-policy#policy-configuration

Vinod Survase 4,726 Reputation points

2023-04-13T17:27:20.11+00:00

Hi @Andy David - MVP , I have made the changes as per above shared docs but still its not working as expected. What else is missing or need to make changes? Can you help me on this?

Andy David - MVP 145.6K Reputation points MVP

2023-04-15T18:29:12.1766667+00:00

How long did you wait? What do the Azure sign in logs show for the break glass account? Is there a conditional access policy enforcing MFA or per user? You can't exclude MFA if using the Azure Security Defaults

JamesTran-MSFT 36,541 Reputation points Microsoft Employee

2023-04-19T19:52:37.12+00:00

@Vinod Survase

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Vinod Survase 4,726 Reputation points

2023-04-20T09:48:45.5766667+00:00

@Andy David - MVP I have excluded this account from all CA policies plus MFA is not enabled on this account. The solution which I got from MS engineer is that I should complete the MFA registration process first and then it will not ask for any MFA when I am trying to signing in next time.
Sign in to comment

Share via

How to create break glass account in M365 tenant? What are the best practices and what all are the prerequisites for the same?

2 answers