We’ve been talking a lot about the fire emergency evacuation plan at work recently. Our renter is shaping up the plan and is installing additional fire extinguishers and so on. This inspired me to write a post on how organizations should implement “break glass accounts” in Azure Active Directory.
Emergency access accounts, often referred to as “break glass accounts”, is an important part of an organization’s disaster recovery plan. These accounts are highly privileged and should only be used when normal admin accounts can’t sign in. Microsoft recommend at least two break glass accounts in an Azure AD tenant. If you don’t have such accounts in place you should plan to implement at least two as soon as possible. Please use the guidelines in this blog post to implement this right.
As you understand, these accounts are super important to help you sort out disasters like locking yourself out of your tenant with Conditional Access polices, failing federation services, service outages and more. For example, break glass account might be your only way back in when Microsoft MFA services goes down. But break glass accounts are also extremely important to keep safe as many of the important security functions like MFA is disabled. Break glass accounts should be kept secret and no admin should know the entire password without “breaking the glass”.
I have collected some important guidelines around security and configuration of Emergency Access Accounts.
Break Glass Account Security Guidelines
- Should have a complex, hard to guess, username.
- Must have a complex password, preferably split into two parts, stored in envelopes at two different secure locations in fireproof safes.
- There should be a list of allowed admins who can use the break glass accounts. These admins should, of course, also hold the Global Admin role under normal circumstances.
- Be sure to monitor break glass accounts in Azure AD sign-in logs and audit logs and act on any unexpected activity.
Break Glass Account Configuration Guidelines
- Must have the Global Administrator role assigned permanently.
- Must have password set to never expire.
- Must not have MFA configured.
- Must be excluded from ALL Conditional Access policies.
- Must not be assigned to a specific individual.
- Must be a cloud-only account.
- Should use the tenants *.onmicrosoft.com domain (to avoid domain and federation issues).
- Must not be federated.
- Should not be synchronized with on-prem AD.
- Should not be connected with any employee-supplied mobile phones or hardware tokens.
Documentation and Validation
- The emergency routine should be well documented and always kept current.
- Finally, the accounts and emergency routines should be verified and practiced at least every 90 days of all approved admins. Make sure to put this in the calendar!
I hope that these guidelines will help you in your emergency planning. Please follow me here, on LinkedIn and on Twitter for more cloud stuff.