Skip to content

Commit 47f596e

Browse files
PRMerger13PRMerger13
authored
Merge pull request #116199 from amanmcse/patch-25
(AzureCXP) fixes MicrosoftDocs/azure-docs#55343
2 parents 813c82b + d6137b8 commit 47f596e

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

articles/active-directory/users-groups-roles/directory-emergency-access.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ Create two or more emergency access accounts. These accounts should be cloud-onl
4040
When configuring these accounts, the following requirements must be met:
4141

4242
- The emergency access accounts should not be associated with any individual user in the organization. Make sure that your accounts are not connected with any employee-supplied mobile phones, hardware tokens that travel with individual employees, or other employee-specific credentials. This precaution covers instances where an individual employee is unreachable when the credential is needed. It is important to ensure that any registered devices are kept in a known, secure location that has multiple means of communicating with Azure AD.
43-
- The authentication mechanism used for an emergency access account should be distinct from that used by your other administrative accounts, including other emergency access accounts. For example, if your normal administrator sign-in is via on-premises MFA, then Azure MFA would be a different mechanism. However if Azure MFA is your primary part of authentication for your administrative accounts, then consider a different approach for these, such as using Conditional Access with a third-party MFA provider.
43+
- The authentication mechanism used for an emergency access account should be distinct from that used by your other administrative accounts, including other emergency access accounts. For example, if your normal administrator sign-in is via on-premises MFA, then Azure MFA would be a different mechanism. However if Azure MFA is your primary part of authentication for your administrative accounts, then consider a different approach for these, such as using Conditional Access with a third-party MFA provider via [Custom controls](https://docs.microsoft.com/azure/active-directory/conditional-access/controls).
4444
- The device or credential must not expire or be in scope of automated cleanup due to lack of use.
4545
- You should make the Global Administrator role assignment permanent for your emergency access accounts.
4646

0 commit comments

Comments
 (0)