Since exceptions to this requirement will not be allowed, it’s crucial to have a process in place for managing MFA for emergency, or “break glass,” accounts.
Based on real-world experience, we know that emergency accounts are often excluded from Conditional Access Policies requiring MFA, typically relying solely on long and complex passwords. While these accounts cannot be tied to individual users or specific personal devices, they still need to be secured with a robust MFA method that remains effective in emergencies.
These accounts should not depend on services like Azure MFA or mobile carriers; instead, they should rely solely on core authentication services. This leaves a few MFA options:
- Certificate-based authentication
- FIDO2 security keys
- Windows Hello for Business
Among these, FIDO2 security keys are the easiest to implement and maintain.
Here are some best practices for managing emergency accounts and their associated security keys:
- Create two or more emergency accounts that are cloud-native and configured with the *.onmicrosoft.com domain (not a custom domain).
- Assign the Global Administrator role to these accounts permanently.
- Exclude these accounts from Conditional Access Policies unless specific policies for emergency accounts are in place.
- Secure the accounts using two separate security keys stored in different physical locations. Both emergency accounts should use the same two security keys.
- Ensure the PIN codes for the security keys are only known by authorized personnel.
- Set up monitoring and alerts for all sign-ins using these accounts.
- Regularly validate the accounts.
More information:
Microsoft documentation on mandatory multifactor authentication
Announcing mandatory multi-factor authentication for Azure sign-in