How to exclude emergency/breakt the glass account MFA

Linda Renate Andersen 61 Reputation points
2020-12-03T22:21:16.923+00:00

Hi,

We've created a Break the glass account which is excluded from all MFA-related Conditional Access Policy, but I'm still prompted with MFA when I try to log in. I tried to log in and set up MFA, and then delete the authentication method after, but that did not work. Any advice?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,704 questions
{count} votes

Accepted answer
  1. JamesTran-MSFT 26,616 Reputation points Microsoft Employee
    2020-12-07T23:20:26.95+00:00

    @Linda Renate Andersen
    Thank you for the details! I tried to replicate your issue by creating the same CA policy you mentioned for Administrators and All Users, I'll post my steps below.

    1.Created a test user with Global Admin permissions.
    45859-image.png

    2.Created a CA policy with the same exact specifications as you mentioned except I included all Admin directory roles.
    45941-ca.gif

    3.Signed in with a user that was excluded from my CA policy and one that wasn't.
    45819-mfa.gif

    I also noticed that I forgot to add "device platform: Any device", which I selected at the end and was able to log in without MFA for my one excluded user. Additionally, I removed Global Admin permissions and selected "all users" within my CA and was still able to log in.

    If you'd like our Support Engineers to take a close look into your environment, please let me know.
    Thank you for your time and patience throughout this issue.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


3 additional answers

Sort by: Most helpful
  1. Vasil Michev 61,911 Reputation points Microsoft MVP
    2020-12-04T08:15:19.777+00:00
    No comments

  2. Linda Renate Andersen 61 Reputation points
    2020-12-04T19:14:37.347+00:00

    Hi! Thank you for taking the time to respond.
    Security Default is disabled as we are using CA policies.

    The following pictures is what I see after I type in the log in credentials.

    45142-image.png

    45065-image.png

    Our CA policies:

    Require MFA for administrators

    • User and groups (include: 23 selected directory roles / exclude: BTG account)
    • Cloud apps and actions (all cloud apps)
    • Conditions (client apps: all 4 options is chosen / device platform: Any device)
    • Grant (Grant access: Require MFA)

    Require MFA for all users

    • Users and groups: (include: all users / exclude: BTG account)
    • Cloud apps and actions (all cloud apps)
    • Conditions (client apps: all 4 options is chosen)
    • Grant (Grant access: Require MFA)

    Have been following Microsoft documentation on emergency accounts and CA policies.


  3. Admin Alain Diaz Quesada 21 Reputation points
    2023-01-25T11:47:18.45+00:00

    I Solved this issue Llike this:

    i have the same scenario as you no "Security defaults" becasue we use CA as well.

    but I noticed we had an SSPR (Self Service Password Reset) policy and i had assigned a dynammic group to this policy, since this group is dynamic my break glass account was falling into this group, so i adjusted the parameters of the dynamic group so the break glass was no longer member of and guess wat i no longer get the Interrupt process to choose authentication method:

    i figured it all out after reading this:

    [https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-registration-mfa-sspr-combined#interrupt-mode

    User's image

    No comments