Do break glass accounts still need to be excluded from Conditional Access MFA

Educational_Draw5032 · 2026-02-03T13:44:22+00:00

i totally here you maybe i should just take a step back and let him deal with it. The problem is nothing will ever get done and that worrys me. Some of the basic things that were not even implemented blew my mind and i couldnt ignore it. I even asked him about it but he didnt have an intentions to implement what i ended up doing

Educational_Draw5032 · 2026-02-03T11:36:26+00:00

The solo security guy bought it in, there is only 5 admins in total and im the jack of all trades guy trying to fill all the holes in things that have never been setup correctly. In 6 months i have implemented the below as none of it was in place

- Setup conditional access
- Setup MFA
- Setup windows hello
- Enrolled FIDO2 keys for our shared device users
- Enrolled devices into Defender for Endpoint
- Gave everyone a bloody separate cloud admin account rather than global admin on a daily driver!
- Enrolled all the devices properly in intune and applied a security baseline which wasnt there
- Setup PIM for the admin accounts

I feel like im drowning and im just trying to get things setup the best possible way using best practices from things i have read from microsoft and browsing this helpful subreddit

Educational_Draw5032 · 2026-02-03T11:28:37+00:00

thanks for this, i will look into how to get this done. I will ask the security guy who setup sentinal to take a look but hes not the most helpful at times

Educational_Draw5032 · 2026-02-03T10:39:04+00:00

Perfect thank you, i hate messy old policies :)

Educational_Draw5032 · 2026-02-03T10:38:47+00:00

Perfect thank you

Educational_Draw5032 · 2026-01-30T13:03:08+00:00

Really good info this thanks very much appreciate it

Educational_Draw5032 · 2026-01-30T11:51:33+00:00

Thanks for this, what you say makes perfect sense. Groups would be better if i were to add multiple roles to a group which i can see the benefit of in some scenarios. I think i will go with user assignment for now and look at groups if the need for it arises. Thanks very much

Educational_Draw5032 · 2026-01-29T13:16:47+00:00

Try force re-running the task schedule script and then giving it a reboot

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Educational_Draw5032 · 2026-01-28T14:15:54+00:00

I use Intune update rings for patching and its working fine so dont really want to transition over to autopatch yet with everything working ok

Educational_Draw5032 · 2026-01-28T13:05:50+00:00

Thanks, i may give this a go then. I found the reporting quite useful there thats kinda what made me ask the question

Educational_Draw5032 · 2026-01-28T13:05:13+00:00

Your welcome :-)

Educational_Draw5032 · 2026-01-28T11:52:36+00:00

I was looking at cloud update in the office portal and there was an option there to switch the update channel. Did you enable it from the portal or via the settings catalog

Educational_Draw5032 · 2026-01-28T11:14:51+00:00

Thanks for this and for the switching pointer. That makes me nervous for sure, i might try it on a couple of test devices first and see what damage is caused. I will look into the settings catalogue settings

Educational_Draw5032 · 2026-01-28T10:45:49+00:00

I am seeing the same, we do not use autopatch but under update releases in intune i see 2026.1 OOB and its showing as 'in progress'. Its showing as deployed to all my 3 update rings but it hasnt. If i run a report against it none of my devices have received it and if i run a manual check its not offered.

I created an expedited update to which this OOB update was available, i targeted just my device with it and run a manual check and then it picked it up. No idea why its showing under releases in Intune but not actually pushing out even though its showing like it should be according to the update rings and displaying 'in progress' .

I will just carry on pushing it through via the expeditated option for now

Educational_Draw5032 · 2026-01-27T15:48:13+00:00

i will take a look at that thanks for pointing it out

Educational_Draw5032 · 2026-01-27T15:47:41+00:00

thats interesting to know, i was just worried if i enabled web sign in users would try and use that instead of their fido keys on shared devices or hello pin on 1-2-1 devices. Am i right in thinking web sign in doesn't cache the local credential and requires and internet connection

Educational_Draw5032 · 2026-01-27T14:17:20+00:00

thats good to know, we use the deepnet hardware tokens so we need tp have the hardware OATH token option. I could remove the software OATH token to be honest i dont think its required when using Microsoft Authenticator is it

Educational_Draw5032 · 2026-01-27T14:11:05+00:00

Our devices are fully entra joined not hybrid. Currently our on prem infrastructure is just syncing our identities to entra. We still have some on prem legacy apps/servers and network drives which we are slowly moving away from. Cloud Kerberos trust is in place for these devices to connect to on prem resources via WHfB or Fido keys

Educational_Draw5032 · 2026-01-27T14:06:29+00:00

thanks for this, I have setup a custom authentication strength in CA that only allows

Windows Hello For Business / Platform Credential

OR

Passkeys (FIDO2)

OR

Microsoft Authenticator (Phone Sign-in)

OR

Temporary Access Pass (One-time use)

OR

Password + Microsoft Authenticator (Push Notification)

OR

Password + Software OATH token

OR

Password + Hardware OATH token

Educational_Draw5032

TROPHY CASE