Break glass account excluded from MFA cannot sign in

MSP Toolkit
Minimal guidance for messy support realities.
Submitted by Anonymous (not verified) on

Scenario

An emergency admin account is deliberately excluded from MFA policies, yet login still fails during a real incident test.

Recommended Resolution Path

  1. Verify the exclusion is on the effective policy path and not shadowed by another rule.
  2. Check sign-in restrictions such as location, risk, or device requirements that still apply.
  3. Test the account on a known-clean browser session and document expected usage before an actual emergency.
  4. Treat a failed break-glass test as a serious operational gap and remediate immediately.

Technician Notes

Document what changed, what confirmed the fix, and whether the issue points to a broader standards gap worth addressing for the client.

Subjects
Microsoft 365
Identity & MFA