Hey everyone,
Microsoft is rolling out a policy that requires all admins to use multifactor authentication (MFA) when accessing the Microsoft admin portals. I was able to extend this requirement until the end of September, but it has left a lot of us confused at work. Since there are no exclusions allowed, I'm wondering what to do about our break glass accounts that ideally shouldn't need MFA. Any suggestions on how to navigate this situation would be really appreciated!
6 Answers
I recommend using multiple MFA methods for break glass accounts. One could be authenticated through a certificate and another through a phone call from Microsoft. That way, you're covered in case one method fails.
Absolutely, break glass accounts should have MFA too. Just make sure you use different methods like a physical key, SMS, or an authentication app to avoid being locked out. You can exclude them from conditional access policies, which is key.
It's a good idea to add an MFA method to your break glass accounts. Keep these accounts exempt from your other conditional access policies, but make sure they’ve got at least one method of MFA. I’d recommend using a Yubikey and storing it securely in the company safe. That way, it’s accessible when you really need it!
Totally agree! Just ensure someone always knows the safe code so you’re not left hanging when it’s needed most.
We’ve implemented Yubikeys for our break glass accounts along with Sentinel alerts to notify us of any unauthorized access attempts. Plus, we have a third-party SOC monitoring 24/7. It’s a solid setup for peace of mind!
Refer to this Microsoft guide for handling emergency access: [Emergency Access Documentation](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access). It outlines good practices for safeguarding these accounts.
If you have accounts that shouldn't require MFA, this might be a good time to reevaluate their necessity. It’s wise to have MFA in place before the mandatory enforcement starts, or consider deleting those accounts altogether.
Just get a couple of YubiKeys and store them securely. It's worth it for the added security!