This is an automated archive made by the Lemmit Bot.

The original was posted on /r/azure by /u/anonymous_commentor on 2023-10-03 21:41:30.

I have probably been putting too much thought into this but…I am testing conditional access policies that require two factor authentication with M365. As part of this I come across article recommending a break glass account that is exempted from the CA policies for situations in which 2fa is not working. The recommendation is that this account is a Global Administrator. Even with the suggested monitoring on that account I am not super happy about it existing.

My thought is this: could this break glass account only have access to Conditional Access (there is a built-in role) and be exempted from 2fa. That account could the turn off 2fa if needed but would not be able to do anything else.

Please tell me why this is a bad idea.

Thank you.