25,222 questions
You can configure anything for the breakglass accounts really. They dont know they are breakglass haha
Now is it acceptable or recommended? meh. if the TOTP works for your architecture, why not?
MFA for Break-Glass Accounts
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 41%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Sonal Singh
20
Reputation points
I have a break-glass/emergency account in my Azure tenant, and according to the mandatory MFA rollout guidelines, MFA should be enabled for all accounts, including those used in break-glass scenarios. While Azure recommends using FIDO2 or CBA for such accounts, we prefer not to adopt either approach. Does anyone know if TOTP-based authentication can be configured for break-glass accounts, and whether it would be considered valid/acceptable in this scenario?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
3 answers
Sort by: Most helpful
-
-
Jose Benjamin Solis Nolasco 3,511 Reputation points2025-02-25T20:30:04.0466667+00:00 In my case I prefer to have a FIDO2 key or two pair stored secure in case something happens
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 51%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator2025-02-26T06:22:15.8066667+00:00 Hi @Sonal Singh
You can configure TOTP-based authentication for break-glass accounts. But these accounts must be registered with strong authentication methods, such as passkey (FIDO2) or configure certificate-based authentication for MFA.
Make sure it doesn't use the same authentication methods as your other administrative accounts. For example, if your normal administrator account uses the Microsoft Authenticator app for strong authentication, use a FIDO2 security key for your emergency accounts. Consider the dependencies of various authentication methods, to avoid adding external requirements into the authentication process.
Hope this helps. Do let us know if you have any further queries.
If this answers your query, do click
`Accept Answer`and`Yes`.-
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
2025-02-27T04:00:35.6666667+00:00 Hi @Sonal Singh
Following up to see if the above answer was helpful. If this answers your query, do clickAccept AnswerandYes, if you have any further query do let us know. -
Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
2025-02-28T09:06:21.6733333+00:00 Hi @Sonal Singh
Following up to see if the above answer was helpful. If this answers your query, do clickAccept AnswerandYes, if you have any further query do let us know.
Sign in to comment -