Break-glass Account Prompted for Authenticator App Despite Exclusions

There are a few different services that can trigger the registration prompt besides the Authentication Methods policy. In particular, the combined SSPR/MFA registration experience and security defaults can still require a second factor even if a FIDO2 key is configured. For break‑glass accounts Microsoft recommends disabling security defaults and SSPR, and excluding the account from any registration campaigns, authentication strength policies or per‑user MFA settings. You can do this via Entra ID → Protection → Authentication methods → Password reset, create a custom policy and add your break‑glass group as an exclusion. Also double‑check that the account isn’t enabled for per‑user MFA in the legacy portal. Vasil’s link summarises the other features that can trigger MFA registration, it’s worth checking each one. Once those are addressed you shouldn’t see the Authenticator app prompt when signing in with your FIDO2 keys.