How To Get There From Here: Break Glass Account With Phishing-resistant MFA in Entra ID

January 17, 2026 by Martin Bengtsson

Introduction

In the first episode of How To Get There From Here 🎙️, we talked with Michael Mardahl about passkeys in Microsoft Entra ID – what they are, how they work, and how to get started with passwordless authentication.

This post isn’t just a follow-up to that episode. As Conditional Access policies become more complex and phishing-resistant authentication becomes a requirement, break glass accounts need to be configured correctly. An improperly configured emergency access account won’t help during an actual lockout scenario.

This post documents how to set up a break glass account with passkey (FIDO2) authentication from scratch. Microsoft recommends phishing-resistant MFA for emergency access accounts, and we’ll walk through the complete implementation in our own tenant.

Each step is covered, including TAP configuration, passkey registration, SSPR handling, and Conditional Access exclusions. The process follows Microsoft’s official guidance while showing the practical details you’ll encounter when building this yourself.

This walkthrough is a collaboration between Martin Bengtsson and Christian Frohn, documenting the implementation in our tenant.

So when your Conditional Access policies say “you can’t get there from here,” we’ll show you How To Get There From Here. 🔓

Device Compliance with Configuration Baselines, Configuration Manager version 1910 and Microsoft Intune

January 4, 2020January 3, 2020 by Martin Bengtsson

Introduction

This must be one of my favorite features of Configuration Manager version 1910: Include custom configuration baselines as part of compliance policy assessment.

For a detailed description of the feature, I suggest you read the What’s new article.

In short, this enables us to assess device compliance based on almost anything and really extends the possibilities.

I will walk through the setup required and give you a quick and easy example on how to use this new awesome feature in a co-management scenario.

Intune enrollment, Multi-Factor Authentication and registering Security Information with Conditional Access

June 14, 2019June 14, 2019 by Martin Bengtsson

Introduction

This is a little something on the new option with Conditional Access, where you can specify restrictions for registering the end users security information used with Multi-Factor Authentication.

This is a nifty addition, enabling you to control when and where the security information can be added or changed, making sure it’s not an attacker who’s messing with the details.

In this post i’m trying to put this into the context of enrolling a new device, in this example an iOS device, where MFA is required for enrollment.

If the enrollment is being done by a user who’s without security information (imagine a newly hired employee), the user is initially prompted to register the security information. Now also imagine this being done by an attacker instead. Not good. Therefore it’s desirable to control from where the registering of the security information can be done. Curious? Read on 🙂

Connect to Exchange Online with Powershell, Modern Authentication and Conditional Access

April 2, 2019March 31, 2019 by Martin Bengtsson

Introduction

This is not one of the usual topics I blog about, but nonetheless it’s quite relevant. If you leverage Conditional Access to protect your corporate resources, good chances are that you are blocking legacy authentication (or at least that is something you should consider doing).

If you also fancy connecting to Exchange Online using Powershell for automation reasons, another good chance is that this is done with basic/legacy authentication. This is obviously a conflict with my first statement, so I figured it would make a good blog post to describe how to connect to Exchange Online automated with Modern Authentication while being protected by Conditional Access.

Azure AD Application Proxy, Single Sign-On and Conditional Access

November 19, 2018November 18, 2018 by Martin Bengtsson

Introduction

As the topic suggests, the following post will be about the Azure AD Application Proxy feature – a feature within Azure Active Directory. I haven’t blogged specifically about this feature before, but I do think it deserves a mention here as well.

I will go into details on how to provide secure remote access to an internal IIS website, and give an example on how to add single sign-on to that experience while protecting everything with Conditional Access.

This post will be followed up with a continuation, where everything will be put to use on a mobile device with a Microsoft Intune managed Edge browser. Curious? Read on and stay tuned 🙂

The end result where an internal IIS is reachable from www

Block access to company resources if running an out-of-date iOS version using Microsoft Intune and Conditional Access

August 14, 2018 by Martin Bengtsson

Introduction

Do you need a simple, but yet effective way of forcing people into updating iOS on their company enrolled Apple devices? Simply block access to company resources if iOS is not up to date. Here is how you can do that using Microsoft Intune and Conditional Access in Microsoft Azure.

Peek into Microsoft Intune and the device compliance policies

Conditional Access: Restrict access to company resources and only grant access to trusted IPs

September 6, 2021July 10, 2018 by Martin Bengtsson

Introduction

I have previously given a few examples on use cases for Conditional Access, and I admit, for the Conditional Access newbie, the options available can seem daunting. So how about a very simple scenario, where access to company resources are blocked, if not coming from a trusted IP?

Imagine service accounts running some Powershell scripts for automation in your Azure/O365 tenant or other accounts who are never meant to be used outside of your organization. Simply block those from authenticating in Azure/O365 if not coming from your headquarter public IP. This is how you can do just that, using Conditional Access.

Illustration of the conditions of a Conditional Access rule. In this scenario, location is in focus

Microsoft Intune and Conditional Access in a Co-management scenario

June 5, 2018June 5, 2018 by Martin Bengtsson

Introduction

Last week I gave an example on how to leverage Microsoft Intune and Conditional Access to restrict access to Exchange Online for iOS devices. This week, I’m continuing the use of Microsoft Intune and Conditional Access, and will give an example on how to restrict access to company e-mail if not using a Windows 10 1803 device. All of this based on a computer co-managed with both Microsoft Intune and Configuration Manager.

So basically; no e-mails if not running on the latest and greatest version of Windows 10 on my co-managed device.

Conditional Access: Restrict access to Exchange Online and only grant access to company enrolled devices using the Outlook app

July 25, 2018June 1, 2018 by Martin Bengtsson

Introduction

Long title, but that’s actually what this post is going to cover; how you can secure the access to company e-mail accounts and only allow access to such, if coming from an enrolled (compliant) Intune device and that device uses the Outlook app.

In this scenario, we only uses iOS devices and of such only allow enrollment of iOS devices, but this can of course be android and Windows as well. Everything in this post is achievable with the use of Microsoft Intune and Conditional Access in Azure. Curious? Read on 🙂

Conditional Access: Require MFA for accessing Exchange Online Webmail if browsing from a private device

August 28, 2018January 26, 2018 by Martin Bengtsson

Introduction

While brewing on a much more detailed post on how I moved my devices from Intune Hybrid with ConfigMgr to Intune standalone, I thought I’d share how you can offer webmail for your users, while requiring MFA (Multifactor Authentication) if not coming from a company device, using Conditional Access.

In this post I will only cover the actual steps in Intune, but for this to work, you will have to have your Windows devices registered with Azure AD. There will be some requirement for your on-prem AD and for your ADFS, if that’s how you federate with Azure/O365. These requirements are explained in details in this Microsoft article: https://docs.microsoft.com/da-dk/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup