How to exclude emergency/breakt the glass account MFA

Linda Renate Andersen 66 Reputation points
2020-12-03T22:21:16.923+00:00

Hi,

We've created a Break the glass account which is excluded from all MFA-related Conditional Access Policy, but I'm still prompted with MFA when I try to log in. I tried to log in and set up MFA, and then delete the authentication method after, but that did not work. Any advice?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,468 questions
Accepted answer
  1. JamesTran-MSFT 36,371 Reputation points Microsoft Employee
    2020-12-07T23:20:26.95+00:00

    @Linda Renate Andersen
    Thank you for the details! I tried to replicate your issue by creating the same CA policy you mentioned for Administrators and All Users, I'll post my steps below.

    1.Created a test user with Global Admin permissions.
    45859-image.png

    2.Created a CA policy with the same exact specifications as you mentioned except I included all Admin directory roles.
    45941-ca.gif

    3.Signed in with a user that was excluded from my CA policy and one that wasn't.
    45819-mfa.gif

    I also noticed that I forgot to add "device platform: Any device", which I selected at the end and was able to log in without MFA for my one excluded user. Additionally, I removed Global Admin permissions and selected "all users" within my CA and was still able to log in.

    If you'd like our Support Engineers to take a close look into your environment, please let me know.
    Thank you for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 95,341 Reputation points MVP
    2020-12-04T08:15:19.777+00:00
    1 person found this answer helpful.
    0 comments
  2. Admin Alain Diaz Quesada 26 Reputation points
    2023-01-25T11:47:18.45+00:00

    I Solved this issue Llike this:

    i have the same scenario as you no "Security defaults" becasue we use CA as well.

    but I noticed we had an SSPR (Self Service Password Reset) policy and i had assigned a dynammic group to this policy, since this group is dynamic my break glass account was falling into this group, so i adjusted the parameters of the dynamic group so the break glass was no longer member of and guess wat i no longer get the Interrupt process to choose authentication method:

    i figured it all out after reading this:

    [https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined#interrupt-mode

    User's image

    1 person found this answer helpful.
    0 comments
  3. Linda Renate Andersen 66 Reputation points
    2020-12-04T19:14:37.347+00:00

    Hi! Thank you for taking the time to respond.
    Security Default is disabled as we are using CA policies.

    The following pictures is what I see after I type in the log in credentials.

    45142-image.png

    45065-image.png

    Our CA policies:

    Require MFA for administrators

    • User and groups (include: 23 selected directory roles / exclude: BTG account)
    • Cloud apps and actions (all cloud apps)
    • Conditions (client apps: all 4 options is chosen / device platform: Any device)
    • Grant (Grant access: Require MFA)

    Require MFA for all users

    • Users and groups: (include: all users / exclude: BTG account)
    • Cloud apps and actions (all cloud apps)
    • Conditions (client apps: all 4 options is chosen)
    • Grant (Grant access: Require MFA)

    Have been following Microsoft documentation on emergency accounts and CA policies.