When you start tightening the requirements for access to your corporate cloud, it can be easy to accidentally lock yourself out and cut yourself off from access to the admin interface.
Alternatively, some part of Microsoft Entra ID may fail. For example, there have been a couple of times in the past where multi-factor authentication in Microsoft Entra ID has had a failure and you couldn’t authenticate.
What are break-glass accounts
The above are the primary reasons why you should have break-glass accounts (or also known as emergency access accounts) in your environment. Break-glass accounts are special accounts with the highest privileges that are used for emergency access when standard options and methods are not available. Like just the two reasons mentioned above.
Break-glass accounts should be exempted from all restrictions, i.e. typically from all conditional access policies. They will not require MFA, they will not require compliant devices, there will be no restrictions on them at all.
If you have multiple accounts, it’s best to put those accounts in a Microsoft Entra ID Security group and put that group in the exclusions in conditional access policies.
This security group should be role-enabled for the reason that many different privileged and even less privileged roles can manage group membership. Whereas membership in role-enabled groups can only be administered by global administrators and privileged role administrators. This group is therefore significantly better protected against membership changes. In fact, if someone were able to change the membership of this group, then they could also remove other accounts from the conditional access policy simply by adding other users to the group, which is highly risky.
It is also a good idea to strictly monitor and report any membership changes for the group with your break-glass accounts.
Break-glass accounts must be always created on the default onmicrosoft.com domain and must not be synchronized.
How many break-glass accounts do you need to have
You should have at least one break-glass account in every environment no matter how big the company is. It is generally recommended to have at least two break-glass accounts, both for substitutability, but also because of the different configuration of these accounts.
How to secure a break-glass account
As I mentioned above, these accounts are excluded from all conditional access policies. This is so that if a mistake is made, for example, during the editing of conditional access policies, the entire environment is not locked down, but that break-glass accounts always have unrestricted access.
This means that no restrictions are normally applied to these accounts. Yet the account in question is superprivileged – it has global administrator permissions in the Microsoft Entra ID and can therefore do a lot of damage if it were to get into the hands of someone unauthorized.
The security of the break-glass account will need to be split into two parts. The first part will be technical measures to secure the account. The second part will be the organizational measures to secure the account.
Technical measures to secure the break-glass account
Recommendations on technical measures may vary slightly. I generally recommend having at least two break-glass accounts. Both of these accounts will be exempt from all standard conditional access policies.
Security of the break-glass accounts
Both accounts will be tied to a FIDO2 keys. FIDO2 is one of the most secure authentication methods. It is a password-less authentication method that is also phishing-resistant. The FIDO2 key must be a physical (hardware) key – do not use software keys (passkeys).
Always use hardware FIDO2 keys for break-glass accounts.
These accounts will have a long (at least 60 characters, I usually set 100+ characters), randomly generated secure password that consists of all possible characters, i.e. uppercase, lowercase, numbers and special characters. The password for these accounts will not be stored anywhere – once generated and set for that account, it will be irretrievably discarded.
These accounts will have one special conditional access policy applied to it, which will require phishing-resistant authentication. Nothing else, no other requirements or restrictions.
Each of these accounts should be physically stored in a different location to ensure redundancy of access. Ideally in a different geographic location, but at least not together in the same office, drawer or safe. Even access to these physical keys should be redundant so that if one person is absent, the organization does not lose access to break-glass accounts.
Password-protected break-glass accounts
It used to be recommended to have a password-protected break-glass account. But that was back when there was no option to log in using FIDO2 to Azure AD / Microsoft Entra ID. However, FIDO2 authentication is a very secure authentication method, which is also not dependent on any other service (unlike multi-factor authentication) and therefore there is no risk of losing access in case of a dependent service failure. Therefore, it is no longer recommended to have a break-glass account protected only by a password, but it is recommended to have all break-glass accounts protected by FIDO2.
Organizational measures to secure the break-glass account
For organizational measures, it depends on what kind of organization it is, how big it is and how other processes are set up. The need for a break-glass account applies to all types of organizations of all sizes though. But formal requirements will vary.
For a small organization, the FIDO2 key for the first account will likely be held by the CEO and the FIDO2 key of the second account will be held by an IT person for example. For a large organization, it may be appropriate to split this up somehow.
This is because large organizations may have limited also common processes. For example, no one may have access to an account with global admin permissions by default, but such role would always be part of a Privileged Identity Management (PIM) approval process. Thus, anyone with access to a break-glass account would be able to bypass such PIM organizational requirements.
In this case, it is advisable to split the access into two parts. For example, the FIDO2 key for an account is managed by one person, but the PIN for that FIDO2 key is managed by another person. The general idea is to prevent one person from misusing such a highly privileged account.
It is also necessary to take care of the correct physical protection of the FIDO2 key and PIN. It is not entirely appropriate for someone to have this on their desk in the office. It is better to choose some sort of safe in which to store it securely. And do not store the PIN and the corresponding FIDO2 key at the same place.
Monitoring of break-glass accounts
Break-glass accounts must also have rigorous monitoring and reporting. All activity on these accounts should be reported as a high-risk security incident, for example, in Microsoft Sentinel.
Whenever the password of the second account is used, the password of the account must be changed and a new unique secure password must be generated. For example, it is definitely not enough to just change/add one character or something like that, but you really need to re-generate a new secure unique password.
Want more information and to discuss scenarios in detail specific to your organization? Contact me!
