Remove MFA on Global Admin

Brass Contributor

I came across and article, didnt save it. About best practices for MS security. It mentioned that MS actually recomends having a Global admin setup without MFA, for the purpose of being able to access the system if soehting happens to MFA.


Which seems to happen all the time for us, we have users who just seem to loose their MFA connection and we have to reset it.  

This would stink if it happened to our admin account.

Anyway, we use security default which seems to force MFA, my question is if there is a way to achieve this, and is this really a best practice? It sort of makes sense to me, but at the same time it doesnt really make sense.

1 Reply
With security default you enable MFA for all administrative account and require all users to set up for MFA and enforce MFA when Azure AD think it's necessary. I believe what you've been reading is about the "break glass" accounts that should be set up differently. This isn't possible using security defaults as you cannot use conditional access policies.