When enforcing SSO it would be nice to be able to exclude an account as a breakglass that could be used in the rare circumstance a certificate every expired we could use that to navigate back into the console and renew it.