Forum Discussion
AAD Break Glass Account: Hardware key & MFA
Hi,
We need to set up two GA break glass accounts in Azure AD. Just read this article: https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
It says "However, at least one of your emergency access accounts should not have the same multi-factor authentication mechanism as your other non-emergency accounts. This includes third-party multi-factor authentication solutions."
We use authenticator app on mobile phones for MFA in the organization.
Two questions:
1. Should both break glass accounts have MFA? Or only username and password <-- seems insecure?
2. Is FIDO2 security key an option for MFA in Azure AD? I only see it as an replacement for password, but that does not provide the account with MFA? (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
5 Replies
if its a break glass account I would suggest to use MFA refer this article that provides best practices but suggest to exclude from MFA
- Maybe not I have suggested to use Microsoft MFA with phone as option to send SMS but the are some customers who dont like to have MFA for break ice account rather will use upto 26-58 character password
- Trevor_Rusher
Community Manager
Hey Niklas, I have moved your post to the dedicated Azure AD Board where you're more likely to get an answer. Cheers!
