Forum Discussion

schiachris's avatar
schiachris
Copper Contributor
Apr 28, 2026
Solved

MFA required for Global Admin without Conditional Access or PIM enforcement

Hi,

I'm analyzing a break-glass account scenario in Microsoft Entra ID and would like to validate a behavior I'm observing.

The account:

Has Global Administrator role (permanent assignment)
Is excluded from all Conditional Access policies (fully validated)
Is excluded from Authentication Methods policies and MFA Registration Campaign (fully validated)
Has no per-user MFA enabled (disabled)
PIM is not enforcing MFA (role is permanently active, no activation required)
Security Defaults are disabled
SSPR is not enforcing MFA

All configurable sources that could require MFA have been reviewed and fully ruled out.

However, when signing into Microsoft Admin Portals (Entra/Azure), MFA is still required and cannot be skipped.

In Sign-in logs:

Conditional Access → Not Applied
Authentication Details show:
"MFA required in Azure AD"
"App requires multifactor authentication"

Additionally, there is a Microsoft-managed policy:
"Multifactor authentication for admins accessing Microsoft Admin Portals"
but it is in Report-only mode.

Question:
Is Microsoft Entra ID enforcing MFA automatically for privileged roles (like Global Administrator) in admin portals, even when no Conditional Access or PIM policy requires it?

And if so, is there any supported way to fully exclude a break-glass account from this behavior?

Thanks in advance.

  • I believe this is yes, Entra ID is enforcing mandatory MFA for ALL privileged accounts when accessing admin portals, regardless of Conditional Access or PIM configuration. This is part of Microsoft’s phased rollout of mandatory MFA enforcement across Azure and Microsoft 365 admin portals, and there is no supported way to fully exclude a break-glass account from this behavior.

2 Replies

  • This can be expected now, even when Conditional Access, per-user MFA, Security Defaults, and PIM are not the source.

    Microsoft has been enforcing mandatory MFA for access to Azure/Entra/admin portals as a platform requirement. That enforcement can appear in sign-in logs as not coming from your Conditional Access policies because it is not your tenant-authored CA policy.

    For a break-glass account, I would not try to make it completely MFA-free for admin portal access. The safer pattern is:

    1. Keep at least two emergency access accounts.
    2. Exclude them from normal Conditional Access policies that could lock you out.
    3. Use strong, phishing-resistant authentication where possible, such as FIDO2/security keys or certificate-based auth.
    4. Store credentials and recovery process securely offline.
    5. Monitor sign-ins for those accounts and test the process periodically.

    If you need proof of the source, check the sign-in log details for authentication requirement, authentication methods used, and any “Microsoft-managed” or platform-enforced MFA wording. If the account is a Global Admin going to Microsoft admin portals, tenant exclusions may not remove this requirement.

    Docs:
    https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication
    https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access

  • I believe this is yes, Entra ID is enforcing mandatory MFA for ALL privileged accounts when accessing admin portals, regardless of Conditional Access or PIM configuration. This is part of Microsoft’s phased rollout of mandatory MFA enforcement across Azure and Microsoft 365 admin portals, and there is no supported way to fully exclude a break-glass account from this behavior.