SOLVED

Security Defaults and Break Glass Account

Frequent Contributor

I have an O365 tenant and am considering enabling Security Defaults. The documentation says that this will require MFA for all administrator accounts.

 

Microsoft also recommends setting up a "break-glass" administrator account that does not have MFA enabled. 

 

I can't find anywhere how to set up a 'break-glass" account without MFA and also have Security Defaults enabled.  Does anyone know?

5 Replies

@Kidd_Ip 

 

No. Conditional Access doesn't help. 

 

According to:

Security defaults and Conditional Access - Microsoft 365 Business Premium | Microsoft Learn

 

"You can use either security defaults or Conditional Access policies, but you can't use both at the same time."

@John Twohig you’re 100% in noticing this contradiction with security defaults and break glass accounts in the documentation from Microsoft . Unfortunately, like you noticed, there isn’t any way to use security defaults and have a break glass account that’s excluded from MFA that I’m aware of. 

@Ben Stegink 

 

Sort of makes Security Defaults useless so I decided not to turn them on.

 

Thanks

best response confirmed by ChristianJBergstrom (MVP)
Solution
I didn’t think of TAP which is a great feature. This is a workaround.

https://janbakker.tech/break-glass-accounts-and-azure-ad-security-defaults/