When you start tightening the requirements for access to your corporate cloud, it can be easy to accidentally lock yourself out and cut yourself off from access to the admin interface.
Alternatively, some part of Microsoft Entra ID may fail. For example, there have been a couple of times in the past where multi-factor authentication in Microsoft Entra ID has had a failure and you couldn’t authenticate.
What are break-glass accounts
The above are the primary reasons why you should have break-glass accounts (or also known as emergency access accounts) in your environment. Break-glass accounts are special accounts with the highest privileges that are used for emergency access when standard options and methods are not available. Like just the two reasons mentioned above.
Break-glass accounts should be exempted from all restrictions, i.e. typically from all conditional access policies. They will not require MFA, they will not require compliant devices, there will be no restrictions on them at all.
If you have multiple accounts, it’s best to put those accounts in a Microsoft Entra ID Security group and put that group in the exclusions in conditional access policies.
This security group should be role-enabled for the reason that many different privileged and less privileged users can manage group membership. Whereas membership in role-enabled groups can only be administered by global administrators and privileged role administrators. This group is therefore significantly better protected against membership changes. In fact, if someone were able to change the membership of this group, then they could also remove other accounts from the conditional access policy simply by adding other users to the group, which is highly risky.
Break-glass accounts must be always created on the default onmicrosoft.com domain and must not be synchronized.
How many break-glass accounts do you need to have
You should have at least one break-glass account in every environment no matter how big the company is. It is generally recommended to have at least two break-glass accounts, both for substitutability, but also because of the different configuration of these accounts.
How to secure a break-glass account
As I mentioned above, these accounts are excluded from all conditional access policies. This is so that if a mistake is made, for example, during the editing of conditional access policies, the entire environment is not locked down, but that break-glass accounts always have unrestricted access.
This means that no restrictions are normally applied to these accounts. Yet the account in question is superprivileged – it has global administrator permissions in the Microsoft Entra ID and can therefore do a lot of damage if it were to get into the hands of someone unauthorized.
The security of the break-glass account will need to be split into two parts. The first part will be technical measures to secure the account. The second part will be the organizational measures to secure the account.
Technical measures to secure the break-glass account
Recommendations on technical measures may vary slightly. I generally recommend having at least two break-glass accounts. Both of these accounts will be exempt from all standard conditional access policies.
Security of the first account
The first account will be tied to a FIDO2 key. FIDO2 is one of the most secure authentication methods. It is a password-less authentication method that is also phishing-resistant.
This account will have a long (at least 60 characters, I usually set 100+ characters), randomly generated secure password that consists of all possible characters, i.e. uppercase, lowercase, numbers and special characters. The password for this account will not be stored anywhere – once generated and set for that account, it will be irretrievably discarded.
This account will have one special conditional access policy applied to it, which will require phishing-resistant authentication. Nothing else, no other requirements or restrictions.
This account will be the primary break-glass account, as it does not require a password and is significantly more secure due to FIDO2 authentication.
Security of the second account
The second account will be secured by password only. This is in case FIDO2 authentication cannot be used for any reason.
So this account must again have a very strong, randomly generated password. But on the other hand, it must be a password that can realistically be used in an emergency. So it shouldn’t be completely nonsensically long, and it shouldn’t use characters that you are unable to type on your regular keyboard. I usually recommend a password length of at least 40 characters and the use of uppercase letters, lowercase letters, numbers, and common special characters.
Importantly, you must store and keep the password for this account somewhere secure. You must not store it in any electronic key vault or password manager. It must not be part of, for example, CyberArk, 1Password, KeePass, etc. Firstly, because the key vault may be compromised in a security incident. Or conversely, the key vault may be unavailable like other services, which I have seen and experienced many times. The organization had passwords, including passwords to break-glass accounts, stored in CyberArk, but CyberArk could not be accessed. And, of course, the password must not be anywhere on any computer in any other form. Optimally, you should print the password for this account on paper and store it somewhere safe. Storing it on a flash drive may not be optimal either, as flash memories may not last long and the password stored on a flash drive may not be readable after some time.
This account has no restrictions and no limitations. It is completely excluded from all conditional access policies.
Organizational measures to secure the break-glass account
For organizational measures, it depends on what kind of organization it is, how big it is and how other processes are set up. The need for a break-glass account applies to all types of organizations of all sizes though. But formal requirements will vary.
For a small organization, the FIDO2 key for the first account and the password for the second account will likely be held by the CEO or an IT person. For a large organization, it may be appropriate to split this up somehow.
This is because large organizations may have limited also common processes. For example, no one may have access to an account with global admin permissions by default, but such role would always be part of a Privileged Identity Management (PIM) approval process. Thus, anyone with access to a break-glass account would be able to bypass such PIM organizational requirements.
In this case, it is advisable to split the access into two parts. For example, the FIDO2 key for the first account is managed by one person, but the PIN for that FIDO2 key is managed by another person. Or the password for the second account is split in half, with one person carrying one half of the password and someone else carrying the other half. The general idea is to prevent one person from misusing such a highly privileged account.
It is also necessary to take care of the correct physical protection of the password, or the FIDO2 key and PIN. It is not entirely appropriate for someone to have this on their desk in the office. It is better to choose some sort of safe in which to store it securely.
Monitoring of break-glass accounts
Break-glass accounts must also have rigorous monitoring and reporting. All activity on these accounts should be reported as a high-risk security incident, for example, in Microsoft Sentinel.
Whenever the password of the second account is used, the password of the account must be changed and a new unique secure password must be generated. For example, it is definitely not enough to just change/add one character or something like that, but you really need to re-generate a new secure unique password.
Want more information and to discuss scenarios in detail specific to your organization? Contact me!