Forum Discussion
Anonymous
Dec 07, 2021AAD Break Glass Account: Hardware key & MFA
Hi, We need to set up two GA break glass accounts in Azure AD. Just read this article: https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access It says "However, a...
Chandrasekhar_Arya
Dec 13, 2021Steel Contributor
Maybe not I have suggested to use Microsoft MFA with phone as option to send SMS but the are some customers who dont like to have MFA for break ice account rather will use upto 26-58 character password
alschneiter
Dec 13, 2021Copper Contributor
Hi Niklask, there was a recent change on that topic.
Before, it was not recommended to use MFA for emergency (Break Glass) accounts but for sure to monitor logins using Sentinel or Alert rules. On the newer docs article, there is a recommendation for not to use the same MFA factor. But still monitor the login.
https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
Also make sure to exclude at least one account from all Conditional Access policies and disable per user MFA (anyway if Conditional Access is in place).
Before, it was not recommended to use MFA for emergency (Break Glass) accounts but for sure to monitor logins using Sentinel or Alert rules. On the newer docs article, there is a recommendation for not to use the same MFA factor. But still monitor the login.
https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
Also make sure to exclude at least one account from all Conditional Access policies and disable per user MFA (anyway if Conditional Access is in place).