This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Based on this news announcement
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/update-on-mfa-requirements-for-azure-sign-in/ba-p/4177584 https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/update-on-mfa-requirements-for-azure-sign-in/ba-p/4177584 https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication
What options are available to secure a break glass account when my IT team is distributed across various geographical locations?
It is impractical, if not impossible, to have multiple MFA tokens for a single break-glass account.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
@EnterpriseArchitect Hope the following suggestion can help. If the answer is helpful, please click "Accept Answer". Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 24%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hello EnterpriseArchitect
Thanks for your question.
The recommendation is updating these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA. Both methods satisfy the MFA requirement.
This is dcoumented in the planning section here: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication
You can mark it 'Accept Answer' and 'Upvote' if this helped you
Regards,
Abiola
@akinbade abiola ,
Thank you for the response, however, there are multiple Senior Azure Engineers in multiple office locations, so what is the best course of action to secure this one single account so any users can access it when required ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Thank you for reaching Microsoft Q&A Forum!
If you have a single account that multiple users need to access, the best course of action would be to create a group in Azure AD and add the users who need access to that group. Then, you can grant the group access to the necessary resources or applications. This way, you can manage access to the account more easily and ensure that only authorized users have access.
To further secure the account, you can use Conditional Access to enforce multi-factor authentication (MFA) for all users accessing the account.
Restrict access based on location, ensuring that only approved locations or IP addresses can access the account.
Also, you can enable PIM to manage, control, and monitor access to important resources. PIM allows you to provide just-in-time privileged access and requires approval for role activation
For any Azure resources that require a service identity, use Azure managed identities. This helps in managing and securing service accounts.
Reference: https://learn.microsoft.com/en-us/entra/architecture/secure-best-practices
https://learn.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity
Hope this helps. Do let us know if you any further queries by responding in the comments section.
Thanks,
Akhilesh.
If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.