MicrosoftI open a support case with Microsoft, and their response was this:
In the following public documentation https://urldefense.com/v3/__https:/learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access*exclude-at-least-one-account-from-phone-based-multifactor-authentication__;Iw!!EGtZ4yWgLN1DuA_s!7NSfETkfjLMNLARL82mVFCkf3V8RdOBPT1pccuU3VMFXX7uAPL58tLcGBWfGvb21gzW-Xn92AylYS_62G3XD4hVwfGnz8ONylS78$
states that:
"…Microsoft Entra ID recommends that you require multifactor authentication for all individual users. This group includes administrators and all others.."
In this same article, immediately below, it states: "…at least one of your emergency access accounts shouldn't have the same multifactor authentication mechanism as your other non-emergency accounts."
In conclusion: all accounts (even "break-glass" accounts) will be required to have multifactor Authentication (no option for exclusion).
We decided to configured FIDO2 for our breakglass account.
