MicrosoftThe FIDO 2 / for break glass does not suit. Geographically dispersed orgs now need to have multiple things just when they need it most. A massive unique password is still reasonably secure if the account is monitored diligently. Doing what you suggest means we'd likely need more break glass accounts - which fights with other MS security pillars. You guys really need to up your field work before pushing these edicts and always include the option for specific account exclusions, absolutely push us to the modern best practices, and highlight when we are not following them in tenancies, but surely risks are for businesses to evaluate and own the consequences of. This is a continuing trend of practices that just don't really work as blanket settings - phishing resistant MFA only for admins being another when some tools you produce don't still support it and graph still doesn't have all the commandlets SOC analysts and Infra engineers need.
