Microsoft recently announced that multifactor authentication (MFA) will be compulsory for all users accessing services like the Azure portal, Entra admin center, Intune admin center, and M365 Admin center. This raises a concern regarding break glass accounts that have previously been exempt from MFA to maintain access during any MFA-related issues. I'm feeling a bit overwhelmed and haven't done a deep dive into this matter, so I'm looking for advice on how to manage these accounts moving forward.
4 Answers
Glad you found the info helpful! It's definitely a tricky situation with the new MFA enforcement.
You'll want to add FIDO keys to your break glass accounts. That way, you can still have a secure way to access these accounts even with the new MFA rules in place. Check out this guide for setting up emergency access accounts: learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access#create-emergency-access-accounts
In response to your concern about break glass accounts needing MFA, you typically would enable MFA for these accounts, often using FIDO2 keys for added security. Here’s a link that details how to manage emergency access admin accounts: learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access?WT.mc_id=studentamb_165290
One option you could consider is generating a different type of TOTP (Time-based One-Time Password) and saving the QR code along with the password. This provides an additional layer of security while keeping your break glass options available.
Also, if you want to ensure that 2FA is always available for your break glass accounts, consider using the snipping tool to save the QR code when you enroll. If your device gets lost, you'll still have a quick way to set up 2FA again by scanning that saved QR code with a different device.