I'm transitioning to Conditional Access from Security defaults in Entra ID next week and I'm finalizing my break glass account setup. I have a couple of questions: 1. I've set up a password and a FidoKey for the account, but every time I try to sign in with both, Microsoft prompts me to verify my identity by downloading the authenticator app. Is this a normal requirement even with Fido authentication in place? 2. Once I switch to Conditional Access policies, should I create an MFA policy specifically for the break glass account to only require the FidoKey for authentication? Or should I fully exempt the break glass account from all policies?
3 Answers
You're seeing that because the MFA registration policy is enforcing Authenticator setup, which may be set to MS-Managed by default. You should exempt your break glass account from these settings. Also, for your second question, I suggest creating a specific Conditional Access policy for your break glass account that only requires the FidoKey. It would keep your account secure while ensuring it won't be affected by normal login policies.
Just to clarify, that enrollment campaign is part of the Authentication Methods and is not linked to Conditional Access. You can choose to disable the campaign or exclude your break glass account from it. Also, for security reasons, I would recommend not exempting the break glass account from Conditional Access entirely; instead, create a more stringent policy that limits access to just the FidoKey. This will help maintain a higher level of security.
It's actually a best practice to keep the password for your break glass account stored offline to avoid tenant lockout. Ideally, having at least two accounts for this purpose is recommended. It sounds like you have 2FA set up. Still, Microsoft may require the authenticator due to their MFA registration policy for new setups. Have you considered making sure your break glass account is separately targeted in the policy settings?
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures