Dec 07 2021
09:24 AM
- last edited on
Jan 14 2022
03:46 PM
by
TechCommunityAP
Dec 07 2021
09:24 AM
- last edited on
Jan 14 2022
03:46 PM
by
TechCommunityAP
Hi,
We need to set up two GA break glass accounts in Azure AD. Just read this article: https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
It says "However, at least one of your emergency access accounts should not have the same multi-factor authentication mechanism as your other non-emergency accounts. This includes third-party multi-factor authentication solutions."
We use authenticator app on mobile phones for MFA in the organization.
Two questions:
1. Should both break glass accounts have MFA? Or only username and password <-- seems insecure?
2. Is FIDO2 security key an option for MFA in Azure AD? I only see it as an replacement for password, but that does not provide the account with MFA? (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password...)
Dec 09 2021 08:28 AM
Dec 10 2021 12:25 AM - edited Dec 10 2021 12:31 AM
if its a break glass account I would suggest to use MFA refer this article that provides best practices but suggest to exclude from MFA
Dec 12 2021 10:34 PM
What kind of MFA`? Is hardware key an option in Azure AD, recommended for break glass?
Dec 13 2021 02:21 AM
Dec 13 2021 04:22 AM