Hey folks, In 2012, we started the Identity security and protection team for our consumer accounts (Microsoft accounts used for signing in to OneDrive, Skype, Xbox and such). We started out by do...
Updated Nov 09, 2023
Version 8.0
Blog Post
Microsoft has done a great job by releasing security defaults, however it's lacking the ability to exclude a single emergency access account. As per https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access one of Microsoft's best practices for Azure Active Directory (Azure AD) is to have a cloud-only emergency access account which is excluded from MFA. This is similar to the built-in Administrator account in traditional Active Directory, without the ability to exclude a single account most organizations without AAD P1 licensing will simply leave security defaults turned off. If we want fine grained exclusions or multiple emergency access accounts it would then make sense to purchase AAD1 P1 licenses and configure Conditional Access. I've created a feedback suggestion here - https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/39425896-exclude-emergency-access-account-from-security-def