The break-glass mistake sitting in most Australian tenants
There's a Conditional Access misconfiguration we find more often than any other, and it isn't an open door — it's the opposite. It's a policy so well-intentioned and so tightly scoped that one bad Tuesday can lock every administrator out of Microsoft 365, including the people who'd fix it.
the setup
Someone sensible — often after reading Essential Eight guidance, often after a phishing near-miss — creates the policy every tenant should have: all users, all cloud apps, require multi-factor authentication. Enabled, not report-only. So far, exactly right.
What's missing is a single field: excluded users. It's empty. And an all-users MFA or block policy with an empty exclusion list means there is no account in the tenant that can sign in without completing MFA. Every account, every admin, every time.
why that's a time bomb, not a hardening win
MFA depends on things outside your tenant: Microsoft's MFA service, your users' phones, the Authenticator app, sometimes a third-party identity provider. Each of those can fail — and has. Microsoft's own MFA infrastructure has suffered multi-hour global outages, and when it does, an MFA-required sign-in doesn't degrade gracefully. It fails closed.
Now walk the failure through. MFA is down. Your Global Admin tries to sign in to disable or adjust the policy — and can't, because the policy applies to them too. The one action that would restore access requires the access that's been lost. That's the lockout loop, and the exits from it are ugly: waiting out the outage, or a support case with Microsoft to prove tenant ownership, which is measured in days, not minutes — while payroll, email and every SaaS app federated to Entra sits behind the same locked door.
what good looks like
Microsoft's guidance, and ours, is boringly consistent:
- Two emergency access accounts, cloud-only (
@yourtenant.onmicrosoft.com— never synced from on-prem AD, so an AD or federation failure can't take them down with it). - Excluded from every Conditional Access policy. Every one. A break-glass account that's excluded from four policies and caught by the fifth is not a break-glass account.
- Credentials that don't depend on the thing that might be broken. A FIDO2 key in a safe, or a long generated password stored offline and split across two custodians. Not Authenticator on someone's phone.
- Monitored like an alarm system. These accounts should sign in approximately never — so any sign-in is either a scheduled quarterly test or an incident. Alert on it (a log-analytics rule on the sign-in logs takes ten minutes to set up).
- Tested quarterly. An emergency credential nobody has tried in two years is a hope, not a control.
The pushback we hear is "but an account that skips MFA weakens our posture". Correctly built, it doesn't meaningfully: the credential is phishing-resistant or physically vaulted, the account holds no daily-use role assignments beyond what recovery needs, and every sign-in pages a human. Compare that residual risk against days of total tenant lockout, and the trade is not close.
check yours in the next two minutes
You don't need a workshop to find out if you're exposed. Open Entra → Conditional Access, and for every enabled policy that targets all users with an MFA or block control, look at the excluded-users list. If any of them says zero, you've found the bomb. While you're there, confirm the accounts that are excluded are actual emergency accounts — not a departed admin, and not a shared mailbox someone added to stop a ticket.
./ca-policy-check — free, read-only, two minutes
Our free Conditional Access check reads your policies live from Microsoft Graph — in your browser, nothing sent to us — and flags this exact condition, plus eleven other common failures: legacy auth gaps, report-only drift, missing risk policies, trusted-location MFA bypass. Mapped to the Essential Eight, CIS v8 and NIST CSF 2.0.
▸ run the free checkFound a zero-exclusion policy and want a second set of eyes on the fix — or on the whole identity perimeter? That's what the fixed-price assessment is for. ./view pricing