Exclude Emergency Access account from Security Defaults
Microsoft has done a great job by releasing security defaults, however it's lacking the ability to exclude a single emergency access account. As per https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access one of Microsoft's best practices for Azure Active Directory (Azure AD) is to have a cloud-only emergency access account which is excluded from MFA.
This is similar to the built-in Administrator account in traditional Active Directory, without the ability to exclude a single account most organizations without AAD P1 licensing will simply leave security defaults turned off.
If we want fine grained exclusions or multiple emergency access accounts it would then make sense to purchase AAD1 P1 licenses and configure Conditional Access.
Rich Lusk commented
I agree with Jake. I have customers that can't afford Azure AD Premium but still need to be able to create a Break Glass account without MFA on it. It would be easier on all Microsoft CSPs if Conditional Access Policies were available to all tenants.
Tero Pihlaja commented
We have similar requirements as Lasse already raised. We need to have some service accounts without MFA.
Lasse Thomsen commented
We do use MFA for all users and Admins, but we do have some service accounts and a Break Glass account all with long complex passwords that we don't what to have MFA on. An easy way for an Admin to generate a meaningful report on the usage of these non-MFA accounts would be helpful.
Ohh and one more thing, if you are serious about security- you should never have to pay for security! It must come as standard!
Pat DiPersia commented
I agree with Jake. We need a way to exclude our break glass account, especially since this is a best practice from Microsoft. Paying for conditional access to do this right shouldn't be the case.
Additionally, I'm not sure I agree with the push notifications to the Microsoft Auth app being the ONLY way to log in. I find the 6 digit rolling code to be much more secure. We can educate users all we want - but I can guarantee users WILL push approve if a hacker gets their credentials because they simply don't read or think sometimes.
I just read up on security defaults and I wanted to post this somewhere, 'Well done!' on making this a standard for all accounts. At one point in order to get MFA you had purchase an AD Premium and I remember posting some feedback that you should never have to pay for security. So, bravo on making this move to make it simple and effective for all accounts to be protected and not charging for it. I agree too that setting up one account to exclude for emergency access would be nice. I know that I can go through the process of setting up in conditional access but the exception account would make it convenient to not have to go through that process, or to be concerned that I might not set it up right since I don't do that every day.
Waters, Jeremy commented
Furthermore, if you want to follow Microsoft best practices, and exclude your emergency access account(s) from MFA, and therefore disable Security Defaults, and create your own Conditional Access policy, then you also will have lost the Unified MFA Registration feature of Security Defaults. To make up for that, you need to pony up to P2 for your users - so that you can turn this back on in Identity Protection. Ouch!
Jason Hartman commented
1000% Yes. We need the ability to exclude certain service accounts and break-glass accounts from Security Defaults. Or you need to make Conditional Access free for all 365 accounts so we can deploy MFA the recommend way without paying extra for a basic feature that claims to eliminate 99% of security breaches.