Forum Discussion
AAD Break Glass Account: Hardware key & MFA
Hi, We need to set up two GA break glass accounts in Azure AD. Just read this article: https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access It says "However, a...
if its a break glass account I would suggest to use MFA refer this article that provides best practices but suggest to exclude from MFA
What kind of MFA`? Is hardware key an option in Azure AD, recommended for break glass?
- Maybe not I have suggested to use Microsoft MFA with phone as option to send SMS but the are some customers who dont like to have MFA for break ice account rather will use upto 26-58 character password
- Hi Niklask, there was a recent change on that topic.
Before, it was not recommended to use MFA for emergency (Break Glass) accounts but for sure to monitor logins using Sentinel or Alert rules. On the newer docs article, there is a recommendation for not to use the same MFA factor. But still monitor the login.
https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
Also make sure to exclude at least one account from all Conditional Access policies and disable per user MFA (anyway if Conditional Access is in place).
