I'm seeking advice on whether to set up multi-factor authentication (MFA) for our emergency accounts in Entra. We've established two emergency accounts with OTP and two Yubikeys configured for MFA. However, our current MFA conditional access policies exclude these emergency accounts as per Microsoft's guidance. While I'll be implementing login alerts, I'm feeling uneasy about not enforcing MFA on accounts that have Global Administrator access. Is this truly the best practice?
5 Answers
You should really think about whether MFA would still work when you need to use the emergency account. That’s the critical point to consider here.
I’ve noticed you already have MFA with OTP and Yubikeys. Personally, I'd suggest sticking with just the Yubikeys and dropping the OTP for better security.
In my experience, any account with elevated privileges should definitely have two-factor authentication. Remember, Microsoft won’t be responsible if your account gets compromised.
Consider setting up the accounts to work exclusively with Yubikeys—meaning no OTP or password required. By ensuring a physical token is mandatory for login, the lack of MFA might not pose a significant risk.
The Microsoft guidelines actually recommend against using MFA on those emergency accounts—just aim for a strong, complex password instead.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures