Forum Discussion
Break-glass Account Prompted for Authenticator App Despite Exclusions
We have a break-glass account configured with two FIDO2 security keys as the only authentication method.
The account is:
- Excluded from Microsoft Authenticator in Authentication Methods policy
- Also, the included target is a dynamic group that includes all users but the break glass account.
- Excluded from the MFA Registration Campaign
- Also, the included target is a dynamic group that includes all users but the break glass account.
- Excluded from all Conditional Access policies
However, whenever we test the account, it still gets prompted to set up the Microsoft Authenticator app during sign-in. We can skip the setup, but ideally, the prompt should not appear for this account.
How can we prevent the Authenticator setup prompt entirely for this break-glass account?
2 Replies
There are a few different services that can trigger the registration prompt besides the Authentication Methods policy. In particular, the combined SSPR/MFA registration experience and security defaults can still require a second factor even if a FIDO2 key is configured. For break‑glass accounts Microsoft recommends disabling security defaults and SSPR, and excluding the account from any registration campaigns, authentication strength policies or per‑user MFA settings. You can do this via Entra ID → Protection → Authentication methods → Password reset, create a custom policy and add your break‑glass group as an exclusion. Also double‑check that the account isn’t enabled for per‑user MFA in the legacy portal. Vasil’s link summarises the other features that can trigger MFA registration, it’s worth checking each one. Once those are addressed you shouldn’t see the Authenticator app prompt when signing in with your FIDO2 keys.
Did you exclude it from SSPR? This thread summarizes the possible reasons why an account is being prompted: https://learn.microsoft.com/en-us/answers/questions/645850/what-are-the-services-settings-that-can-cause-mfa
