You generally should exclude break glass accounts from conditional access policies, but you need some to prevent someone discovering the password and then registering a rogue device for MFA.

Shouldn’t you have some restrictions such as strictly requiring phishing resistant MFA for login and having location restrictions for registering new authentication methods?