How to disabled SSPR for Breakglass accounts when SSPR is required for admin role?

KimYunek-2481 0 Reputation points
2024-02-05T18:48:44.6433333+00:00

Hello. I am trying to setup Breakglass accounts per MS instructions however, I am confused. One section says that I should ensure the accounts do not have SSPR enabled but it appears to be enabled by default for administrators via notice showing on Password Reset policy. Is this because I have not fully transitioned to using the new authentication methods policy or authentication strengths policy?
I don't have an option where the AI generated instructions say to "Create new policy" - I am a Global Admin.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,614 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Q&A Assist
    2024-02-05T18:48:44.6466667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To disable SSPR for Breakglass accounts when SSPR is required for admin role, you can create a separate authentication policy for Breakglass accounts and disable SSPR for that policy. This way, the Breakglass accounts will not have SSPR enabled, but the admin accounts will still have SSPR enabled as required.

    Here are the steps to create a separate authentication policy for Breakglass accounts and disable SSPR for that policy:

    1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
    2. Browse to Authentication methods > Policies.
    3. Click the + New policy button.
    4. Give the policy a name, like "Breakglass Policy".
    5. Under the Self service password reset section, select None to disable SSPR for this policy.
    6. Under the Users section, select the Breakglass accounts that you want to apply this policy to.
    7. Click Create to save the policy.

    After creating the policy, the Breakglass accounts will not have SSPR enabled, but the admin accounts will still have SSPR enabled as required.


    References:

    0 comments No comments

  2. Vasil Michev 90,631 Reputation points MVP
    2024-02-06T08:35:34.1033333+00:00

    You need to do two things: make sure the account is excluded from the "standard" SSPR policy and toggle off the SSPR requirement for admins. The latter is done by toggling the allowedToUseSSPR setting (which is specific to admins) on the authorization policy: https://learn.microsoft.com/en-us/graph/api/resources/authorizationpolicy?view=graph-rest-1.0 Unfortunately, this does affect all admin accounts.