Accès conditionnelPublished on June 16, 20266 min read
Make MFA mandatory on Microsoft 365 without locking anyone out
Deploy MFA for everyone via Conditional Access, report-only first, with a break-glass account excluded to avoid any lockout.
MFA blocks more than 99% of password attacks. Yet many organizations hesitate to enforce it, fearing they will lock out users or themselves. The method matters as much as the rule.
The right rollout sequence
- 1Create the 'MFA for everyone' Conditional Access rule in report-only mode.
- 2Exclude a break-glass (emergency access) account from the rule.
- 3Watch simulated sign-ins for a few days.
- 4Switch the rule to enforced once false positives are handled.
Never enable a Conditional Access rule without first excluding an emergency-access account.
The break-glass account is an admin account reserved for emergencies, excluded from the rule, to keep access if MFA fails. AuPoint requires selecting one before enabling any rule, and excludes it automatically.
Deploy MFA in report-only with one click, then move to enforcement when you're ready.