AAD Break Glass Account: Hardware key & MFA

Occasional Contributor

Hi,

We need to set up two GA break glass accounts in Azure AD. Just read this article: https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access

 

It says "However, at least one of your emergency access accounts should not have the same multi-factor authentication mechanism as your other non-emergency accounts. This includes third-party multi-factor authentication solutions."

We use authenticator app on mobile phones for MFA in the organization.

 

Two questions:

1. Should both break glass accounts have MFA? Or only username and password <-- seems insecure?

2. Is FIDO2 security key an option for MFA in Azure AD? I only see it as an replacement for password, but that does not provide the account with MFA? (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password...)

5 Replies
Hey Niklas, I have moved your post to the dedicated Azure AD Board where you're more likely to get an answer. Cheers!

if its a break glass account I would suggest to use MFA refer this article that provides best practices but suggest to exclude from MFA 

Best Practices for Emergency Accounts – 365 by Thijs

What kind of MFA`? Is hardware key an option in Azure AD, recommended for break glass?

Maybe not I have suggested to use Microsoft MFA with phone as option to send SMS but the are some customers who dont like to have MFA for break ice account rather will use upto 26-58 character password
Hi Niklask, there was a recent change on that topic.
Before, it was not recommended to use MFA for emergency (Break Glass) accounts but for sure to monitor logins using Sentinel or Alert rules. On the newer docs article, there is a recommendation for not to use the same MFA factor. But still monitor the login.
https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
Also make sure to exclude at least one account from all Conditional Access policies and disable per user MFA (anyway if Conditional Access is in place).