Back to blog
Accès conditionnelPublished on June 16, 20266 min read

Make MFA mandatory on Microsoft 365 without locking anyone out

Deploy MFA for everyone via Conditional Access, report-only first, with a break-glass account excluded to avoid any lockout.

MFA blocks more than 99% of password attacks. Yet many organizations hesitate to enforce it, fearing they will lock out users or themselves. The method matters as much as the rule.

The right rollout sequence

  1. 1Create the 'MFA for everyone' Conditional Access rule in report-only mode.
  2. 2Exclude a break-glass (emergency access) account from the rule.
  3. 3Watch simulated sign-ins for a few days.
  4. 4Switch the rule to enforced once false positives are handled.
Fleet-wide MFA, enabled through safe stages.
Never enable a Conditional Access rule without first excluding an emergency-access account.

The break-glass account is an admin account reserved for emergencies, excluded from the rule, to keep access if MFA fails. AuPoint requires selecting one before enabling any rule, and excludes it automatically.

Deploy MFA in report-only with one click, then move to enforcement when you're ready.

Secure your tenant in 15 minutes

Free trial