You can configure anything for the breakglass accounts really. They dont know they are breakglass haha
Now is it acceptable or recommended? meh. if the TOTP works for your architecture, why not?
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I have a break-glass/emergency account in my Azure tenant, and according to the mandatory MFA rollout guidelines, MFA should be enabled for all accounts, including those used in break-glass scenarios. While Azure recommends using FIDO2 or CBA for such accounts, we prefer not to adopt either approach. Does anyone know if TOTP-based authentication can be configured for break-glass accounts, and whether it would be considered valid/acceptable in this scenario?
You can configure anything for the breakglass accounts really. They dont know they are breakglass haha
Now is it acceptable or recommended? meh. if the TOTP works for your architecture, why not?
In my case I prefer to have a FIDO2 key or two pair stored secure in case something happens
Hi @Sonal Singh
You can configure TOTP-based authentication for break-glass accounts. But these accounts must be registered with strong authentication methods, such as passkey (FIDO2) or configure certificate-based authentication for MFA.
Make sure it doesn't use the same authentication methods as your other administrative accounts. For example, if your normal administrator account uses the Microsoft Authenticator app for strong authentication, use a FIDO2 security key for your emergency accounts. Consider the dependencies of various authentication methods, to avoid adding external requirements into the authentication process.
Hope this helps. Do let us know if you have any further queries.
If this answers your query, do click `Accept Answer`
and `Yes`
.