All Conditional Access policies are configured to exclude at least one emergency account or group.
Why This Matters
Without a designated break glass account excluded from all Conditional Access policies, a misconfiguration could lock out all administrators from the tenant. This creates an irreversible loss of access, potentially leading to extended downtime and security incidents that cannot be managed. IT administrators must ensure a reliable fallback for emergency access to maintain operational continuity and avoid costly recovery efforts.
What Aether365 Checks
This check verifies that at least one emergency or break glass account, or a dedicated group, is excluded from every Conditional Access policy in your tenant. It appears in the Aether365 dashboard under microsoft-365 checks as a medium severity item.