This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Currently setting up a break glass account and I'm researching if there is a way to remove a password or the option to use one from an account in Entra Id, similar to what can be done with a consumer Microsoft account. This is in an effort to go completely passwordless using a fido2 key (passkey) and not be presented an option to login with a password if I cancel the passkey login attempt. Of course, using a conditional access policy to apply an authentication strength for this type of account is not desired nor recommended.
IMO: you should have at at least two options to get into a break glass account. If you were able able to remove the password requirement and relied only on the FIDO key, you put yourself at risk in the event that key is not available.
Wouldn't just having 2 keys registered to the account be adequate? Especially since both keys and passwords use the same authentication service to log in accounts.
Indeed. I was thinking more about the physical access to the keys as well. Depending on the scenario. I have never removed a password from an account in that way and not sure if it will even let you
Agreed, it definitely won't allow you in Entra, but it does on the consumer side; https://support.microsoft.com/en-gb/account-billing/how-to-go-passwordless-with-your-microsoft-account-674ce301-3574-4387-a93d-916751764c43
I'm hoping this ability catches up on the enterprise side.
<accidentally added two similar comments>