Forum Discussion

MCT

Nov 26, 2025

Solved

Break-glass Account Prompted for Authenticator App Despite Exclusions

We have a break-glass account configured with two FIDO2 security keys as the only authentication method. The account is: Excluded from Microsoft Authenticator in Authentication Methods policy Als...

VasilMichev
Nov 26, 2025
Did you exclude it from SSPR? This thread summarizes the possible reasons why an account is being prompted: https://learn.microsoft.com/en-us/answers/questions/645850/what-are-the-services-settings-that-can-cause-mfa

bhlojas

Copper Contributor

Jan 20, 2026

https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/microsoft-will-require-mfa-for-all-azure-users/4140391/replies/4143356#M6078

Yes, MFA is required for all azure account and is outside the scope for Conditional Access token. You can setup a software token and set it up with CyberArk for getting the TOTP MFA token. Share the safe to user who will have access to breakglass account. Here is a link to that:

https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/psm-azure-cloudservicesmanagement.htm. Other way is to use to use FIDO2 key (e.g. YubiKey).