Forum Discussion
MFA required for Global Admin without Conditional Access or PIM enforcement
- Apr 30, 2026
I believe this is yes, Entra ID is enforcing mandatory MFA for ALL privileged accounts when accessing admin portals, regardless of Conditional Access or PIM configuration. This is part of Microsoft’s phased rollout of mandatory MFA enforcement across Azure and Microsoft 365 admin portals, and there is no supported way to fully exclude a break-glass account from this behavior.
This can be expected now, even when Conditional Access, per-user MFA, Security Defaults, and PIM are not the source.
Microsoft has been enforcing mandatory MFA for access to Azure/Entra/admin portals as a platform requirement. That enforcement can appear in sign-in logs as not coming from your Conditional Access policies because it is not your tenant-authored CA policy.
For a break-glass account, I would not try to make it completely MFA-free for admin portal access. The safer pattern is:
- Keep at least two emergency access accounts.
- Exclude them from normal Conditional Access policies that could lock you out.
- Use strong, phishing-resistant authentication where possible, such as FIDO2/security keys or certificate-based auth.
- Store credentials and recovery process securely offline.
- Monitor sign-ins for those accounts and test the process periodically.
If you need proof of the source, check the sign-in log details for authentication requirement, authentication methods used, and any “Microsoft-managed” or platform-enforced MFA wording. If the account is a Global Admin going to Microsoft admin portals, tenant exclusions may not remove this requirement.
Docs:
https://learn.microsoft.com/entra/identity/authentication/concept-mandatory-multifactor-authentication
https://learn.microsoft.com/entra/identity/role-based-access-control/security-emergency-access