@ElanShudnow Thank you for the feedback. We will review and update accordingly.

@ElanShudnow Could you elaborate more on what you mean by "break glass accounts" ?

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access

Emergency Accounts where they have very long complex passwords that are stored in a secure manner such as a vault that requires two or more people to enter. No MFA and no policies should be applied to them and they should be Global Admins/Azure Owners. However, if you apply the baseline policy (deprecated) or security defaults, it affects these emergency (break glass) accounts.

The development team really should add functionality to security defaults so we can exclude these emergency accounts.

👆 This! There needs to be a way to disable MFA per-user in the new security defaults, not only for break glass accounts, but in general. Azure AD resiliency is a bit of a joke, and the MFA service has gone down regionally and globally multiple times. There needs to be a balance between core security constructs for users and still being able to administer an Azure AD tenant when the surrounding security infrastructure fails.

TL;DR; - When your service goes down we still need to get on with our lives.

As mentioned in the Conditional Access section of the doc "You can use Conditional Access to configure policies similar to security defaults, but with more granularity including user exclusions, which are not available in security defaults."

please-close

@MicrosoftGuyJFlo _'Security Defaults'_ goes against Microsoft best practices as defined in the Manage emergency access accounts in Azure AD doc page. We aren't asking for granularity we just want to exclude the single emergency access account.

AAD Premium P1 licenses shouldn't be required to do this.

It's obvious that Microsoft wants extra money for the granularity needed to exclude certain users from Security Defaults. It's not a bug, it's by design.

@jakemarston @o-l-a-v

As is mentioned in the blog post announcing this security defaults

"If you are a person who uses Conditional Access to manage your break glass accounts with terms of use controls, chooses MFA based on device compliance, or integrates Identity protection reports into your SIEM, you’re far more sophisticated than our target user for Security Defaults. If you’re thinking of break glass accounts or exception scenarios, Security Defaults isn’t for you – you want Azure AD Conditional Access."

If you feel that a product feature is missing then providing product feedback using the "This product" control at the bottom of the page is the way to get that feedback to the product teams where others can upvote your same feedback.

Thanks for the feedback @MicrosoftGuyJFlo

I've opened a suggestion here Exclude Emergency Access account from Security Defaults.