When is Azure AD fully embracing "always MFA" and "passwordless"?

[NileshGhodekar]

Section "Exclude at least one account from Conditional Access policies" says at least one account should not be part of any Conditional Access policies. This, in turn, currently means that at least one account would be and must be able to do password-based authentication. Can you please bring this clarity on Microsoft's position in this section?

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: fff5de5d-9a97-73ff-4694-79027720b5c3
• Version Independent ID: 566a8387-bbdd-8e35-13cc-f2d891bd5608
• Content: Manage emergency access admin accounts - Microsoft Entra
• Content Source: articles/active-directory/roles/security-emergency-access.md
• Service: active-directory
• Sub-service: roles
• GitHub Login: @markwahl-msft
• Microsoft Alias: rolyon

[Naveenommi-MSFT]

@NileshGhodekar Thanks for your feedback! We will investigate and update as appropriate.

[ManoharLakkoju-MSFT]

Hi @NileshGhodekar It is recommended to exclude at least one account from Conditional Access policies to ensure that there is always a way to access the environment in case of an emergency. However, this account should be secured with strong authentication and monitored closely to prevent unauthorized access. It is important to note that password-based authentication is not recommended for emergency access accounts, and multi-factor authentication should be used instead to ensure the highest level of security

[NileshGhodekar]

Hi @ManoharLakkoju-MSFT, what I'm saying is that the recommendation you mentioned here in the last statement is not enforceable without having a conditional access policy. Or is there another Azure AD native solution to enforce this? So while the recommendation in the previous section in the article "Exclude at least one account from phone-based multi-factor authentication" is valid, this section should instead of mentioning "Exclude at least one account from Conditional Access policies" but should mention create a dedicated CA policy for that emergency account to enforce strong MFA.

[ManoharLakkoju-MSFT]

@NileshGhodekar Thanks for bringing this to our attention. I'm going to assign this to the document author so they can take a look at it accordingly

@markwahl-msft Can you please check and add your comments on this doc update request as applicable.

[NileshGhodekar]

Hi,

Any updates on this one? Microsoft is the only cloud service provider that is asking customers to not do a policy configuration that can enforce MFA on the accounts that need most protection. AWS and GCP for example have unambiguous guidance to the customers to do the policy configuration on root accounts / super admins that mandates MFA. Azure AD public guidance on the on the contrary recommend do not do the configuration (Exclude at least one account from Conditional Access policies). Can we please get the Azure AD guidance on the same bar as other clouds or improve the service if it's deficient in some respect as apparently other leading cloud providers have no issues recommending blanket MFA for all accounts including breakglass accounts.