MFA for Break-Glass Accounts

Sonal Singh 20 Reputation points
2025-02-25T18:36:07.9366667+00:00

I have a break-glass/emergency account in my Azure tenant, and according to the mandatory MFA rollout guidelines, MFA should be enabled for all accounts, including those used in break-glass scenarios. While Azure recommends using FIDO2 or CBA for such accounts, we prefer not to adopt either approach. Does anyone know if TOTP-based authentication can be configured for break-glass accounts, and whether it would be considered valid/acceptable in this scenario?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Andy David - MVP 157.8K Reputation points
    2025-02-25T20:26:35.4866667+00:00

    You can configure anything for the breakglass accounts really. They dont know they are breakglass haha

    Now is it acceptable or recommended? meh. if the TOTP works for your architecture, why not?

    0 comments No comments

  2. Jose Benjamin Solis Nolasco 3,511 Reputation points
    2025-02-25T20:30:04.0466667+00:00

    In my case I prefer to have a FIDO2 key or two pair stored secure in case something happens

    0 comments No comments

  3. Bandela Siri Chandana 3,055 Reputation points Microsoft External Staff Moderator
    2025-02-26T06:22:15.8066667+00:00

    Hi @Sonal Singh

    You can configure TOTP-based authentication for break-glass accounts. But these accounts must be registered with strong authentication methods, such as passkey (FIDO2) or configure certificate-based authentication for MFA.

    Make sure it doesn't use the same authentication methods as your other administrative accounts. For example, if your normal administrator account uses the Microsoft Authenticator app for strong authentication, use a FIDO2 security key for your emergency accounts. Consider the dependencies of various authentication methods, to avoid adding external requirements into the authentication process.

    Hope this helps. Do let us know if you have any further queries.

    If this answers your query, do click `Accept Answer` and `Yes`.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.