Share via

How to disabled SSPR for Breakglass accounts when SSPR is required for admin role?

KimYunek-2481 0 Reputation points
2024-02-05T18:48:44.6433333+00:00

Hello. I am trying to setup Breakglass accounts per MS instructions however, I am confused. One section says that I should ensure the accounts do not have SSPR enabled but it appears to be enabled by default for administrators via notice showing on Password Reset policy. Is this because I have not fully transitioned to using the new authentication methods policy or authentication strengths policy?
I don't have an option where the AI generated instructions say to "Create new policy" - I am a Global Admin.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,630 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Vasil Michev 100.2K Reputation points MVP
    2024-02-06T08:35:34.1033333+00:00

    You need to do two things: make sure the account is excluded from the "standard" SSPR policy and toggle off the SSPR requirement for admins. The latter is done by toggling the allowedToUseSSPR setting (which is specific to admins) on the authorization policy: https://learn.microsoft.com/en-us/graph/api/resources/authorizationpolicy?view=graph-rest-1.0 Unfortunately, this does affect all admin accounts.