Forum Discussion
MFA breakglass account recommendations?
Hi folks. Looking at the new Authentication Methods settings, and trying to consider the scenario where someone disables all of these methods by accident. We require MFA on all accounts (using the 'require MFA' param of Conditional Access). If these are all disabled, there's no MFA method available... Trying to think of ways around this, for that situation. Things I've considered - cert based auth, telephone auth, etc - all require the corresponding auth method to be enabled.
How should this be handled?
1 Reply
You should still be able to configure MFA when they are excluded from CA Policies.
Microsoft recommends at least two cloud-only ga accounts, excluded from Conditional Access, secured with strong methods like FIDO2 keys. You still have access if MFA methods are accidentally disabled or CA misconfigured - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access
Yubi Keys are generally the way to go..
Let me know if I didn't understand the question well and I'll try to give a better answer
