Hey everyone! I just got a notification that Microsoft is making MFA mandatory for all admin portals. I've got conditional access set up for all my admin accounts, but this new rule states that it will override any existing conditional access policies. The message also mentions that break glass accounts must now adhere to these MFA requirements. I always thought break glass accounts were there for emergency access when everything else fails. How do you handle MFA for your break glass accounts?
5 Answers
You’re right, that could complicate things significantly!
In theory, it seems like you could leave MFA unconfigured on the break glass account. Then, when the time comes to use it, you’d just set up MFA right then. But doesn’t that kind of defeat the purpose of the break glass access when you'd be setting up authentication on the fly?
Here's what we did: Our team is fully remote, so we don’t set up MFA on our break glass accounts. When we actually need to use them, we just set up MFA then. Once the recovery is finished, we reset the MFA on the account to keep it accessible without hassle.
Actually, that makes a lot of sense, thanks for sharing!
Absolutely, break glass accounts need to have MFA configured now. Accessing any of the portals, like Entra or Azure, without MFA is off the table. Using secure options like Passkeys or YubiKeys can help. Just remember that if you use certificate-based authentication, make sure the certificates are up-to-date, or you might find your account unusable when you really need it. It’s also good practice to set up alerts for any activity on these accounts and to regularly test them to ensure they still function correctly.
Yeah, it’s definitely recommended to secure your break glass account. We went with a YubiKey for hardware security, and also configured email and SMS alerts so we can monitor when it's used. It's crucial for tracking any changes in conditional access policies too!
We do the same—storing hardware tokens in separate locations for extra security is key.
That’s a risky approach.