Dec 07 2021
- last edited on
Jan 14 2022
We need to set up two GA break glass accounts in Azure AD. Just read this article: https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
It says "However, at least one of your emergency access accounts should not have the same multi-factor authentication mechanism as your other non-emergency accounts. This includes third-party multi-factor authentication solutions."
We use authenticator app on mobile phones for MFA in the organization.
1. Should both break glass accounts have MFA? Or only username and password <-- seems insecure?
2. Is FIDO2 security key an option for MFA in Azure AD? I only see it as an replacement for password, but that does not provide the account with MFA? (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password...)
Dec 09 2021 08:28 AM
Dec 10 2021 12:25 AM - edited Dec 10 2021 12:31 AM
if its a break glass account I would suggest to use MFA refer this article that provides best practices but suggest to exclude from MFA
Dec 13 2021 02:21 AM
Dec 13 2021 04:22 AM