Security Defaults and Break Glass Account

Frequent Contributor

I have an O365 tenant and am considering enabling Security Defaults. The documentation says that this will require MFA for all administrator accounts.


Microsoft also recommends setting up a "break-glass" administrator account that does not have MFA enabled. 


I can't find anywhere how to set up a 'break-glass" account without MFA and also have Security Defaults enabled.  Does anyone know?

5 Replies



No. Conditional Access doesn't help. 


According to:

Security defaults and Conditional Access - Microsoft 365 Business Premium | Microsoft Learn


"You can use either security defaults or Conditional Access policies, but you can't use both at the same time."

@John Twohig you’re 100% in noticing this contradiction with security defaults and break glass accounts in the documentation from Microsoft . Unfortunately, like you noticed, there isn’t any way to use security defaults and have a break glass account that’s excluded from MFA that I’m aware of. 

@Ben Stegink 


Sort of makes Security Defaults useless so I decided not to turn them on.



best response confirmed by ChristianJBergstrom (MVP)
I didn’t think of TAP which is a great feature. This is a workaround.