Conditional Access policy stacking without breaking break-glass accounts

Rolling out phishing-resistant MFA across an organization is a multi-month project. You can't flip a switch and require FIDO2 keys for everyone on day one. You need a layered approach.

The baseline

Start with a policy that requires MFA for all users, all apps, with an exclusion group for your break-glass accounts. This is your foundation.

The escalation path

Add a second policy that requires phishing-resistant methods (FIDO2, Windows Hello, certificate-based auth) for sensitive applications. Target your IT team first.

Protecting break-glass

Your break-glass accounts should be excluded from all conditional access policies except one: a policy that requires MFA but allows any method. This ensures they can still sign in during emergencies.

The rollout

Gradually move user groups from the baseline policy to the stricter policy as you distribute hardware keys and train users.