Glass Break Accounts also known as emergency access accounts, are a failsafe, designed to ensure that administrators can always gain access to the Azure AD tenant, even when normal admin accounts can’t sign in due to an unforeseen event.
The Role of Break Glass Accounts in Microsoft Azure
A Break Glass account in Azure AD is a special type of administrative account that is intended for use in emergency scenarios where the regular MFA service is not operational, or when conditional access policies prevent standard sign-in procedures. These accounts are highly privileged and are typically excluded from policies that apply to non-emergency accounts.
Best Practices for Managing Emergency Access Accounts in Azure AD (Microsoft Entra ID)
When setting up Break Glass accounts, Microsoft recommends adhering to certain best practices to secure the account effectively:
- Why Cloud-Only? Cloud-only accounts are not affected by on-premises directory changes, ensuring uninterrupted emergency access.
- Best Practice Implementation: Create these accounts directly in the Azure portal, ensuring they remain entirely separate from any on-premises synchronization processes.
Exclusion from Policies
- The Need for Exclusion: To guarantee access during an emergency, Break Glass accounts must bypass Conditional Access and MFA.
- Best Practice Implementation: Place Break Glass accounts in an Azure AD group that is excluded from all Conditional Access policies and ensure they are not enrolled in MFA.
- Complexity and Security: Use complex passwords that are less prone to brute-force attacks and ensure they are securely managed.
- Best Practice Implementation: Utilize a password manager for generating and storing complex passwords, and set these accounts to have non-expiring passwords.
- Restricting Usage: Limit the use of Break Glass accounts to emergency situations only to prevent misuse.
- Best Practice Implementation: Establish and enforce policies detailing the specific conditions under which these accounts can be used.
- Redundancy is Key: Maintain at least two Break Glass accounts to ensure that one is always available if the other is compromised.
- Best Practice Implementation: Securely store credentials for multiple accounts in different locations and ensure they are both tested regularly.
- Proactive Oversight: Continuously monitor these accounts to detect unauthorized use and respond to alerts.
- Best Practice Implementation: Set up Azure Log Analytics to track account activity and configure Azure Monitor alert rules to notify designated personnel of any account usage.
- Ensuring Readiness: Regularly test Break Glass accounts to confirm they are operational and can provide access when needed.
- Best Practice Implementation: Include Break Glass account testing in routine security exercises, documenting each test and updating procedures based on the findings.
Azure AD Identity and Security Defaults
While Azure AD Security Defaults provide a robust level of security by enforcing MFA through methods like the Microsoft Authenticator app, Break Glass accounts must be able to bypass these controls. This is where Azure AD Identity Protection comes into play, allowing the configuration of these accounts to ensure they remain accessible in emergencies.
Monitoring with Azure Log Analytics and Microsoft Sentinel
To manage emergency access admin accounts effectively, it’s recommended to connect Azure AD sign-in and audit logs with a created Log Analytics workspace. This allows for comprehensive monitoring and analysis of Break Glass account usage. Additionally, integrating with Microsoft Sentinel can provide advanced threat detection and response capabilities.
Azure AD Break Glass accounts are a critical component of a resilient Microsoft Azure security strategy. They provide a necessary backdoor for administrators to use Azure AD and manage emergency situations effectively. By following the best practices for creating and managing these accounts, organizations can ensure that their Azure AD tenant remains secure and accessible, even in the most challenging circumstances.
FAQ – Break-Glass Accounts
Q: How do I create a break glass account in Azure Active Directory?
A: To create a break-glass account in Azure Active Directory (Azure AD), you would typically follow these steps:
- Log into the Azure portal.
- Navigate to Azure Active Directory.
- Go to ‘Users’ and then select ‘New user’.
- Create the user with a strong and unique username that is not susceptible to guessing attacks.
- Assign the user as a ‘Global admin’ but do not assign any other roles that might restrict its capabilities.
- Set a strong password that complies with your organization’s password policies and ensure that it is stored securely.
Q: What are best practices for managing a break-glass account?
A: Best practices for a break-glass account include:
- Ensure that multi-factor authentication (MFA) is enabled, but also have an MFA bypass option in case the MFA service is unavailable.
- Use the account strictly for emergencies and not for routine administrative tasks.
- Monitor the account’s activity closely through Azure AD sign-in and audit logs.
- Document the process for when and how the break-glass account should be used.
- Regularly review and rotate the break-glass account credentials, storing them securely.
- Exclude the break-glass accounts from policies that might automatically block accounts.
Q: What is the purpose of a break-glass account?
A: A break-glass account is an emergency account that allows access to systems, like Microsoft 365 or Azure AD, in the event that regular admin accounts are locked out or compromised. It acts as a safeguard to ensure that administrators can always access the system to manage and mitigate issues.
Q: Where can I find the sign-in and audit log for an emergency account activity?
A: In the Azure portal, you can find sign-in and audit log information by:
- Going to Azure Active Directory.
- Selecting ‘Sign-ins’ for sign-in logs or ‘Audit logs’ for auditing.
- Filtering the logs by the emergency account’s username to review the activity.
Q: How can I monitor Azure Active Directory sign-in activities for break-glass accounts?
A: To monitor sign-in activities for break-glass accounts:
- Navigate to the Azure portal.
- Select Azure Active Directory.
- Click on ‘Sign-ins’.
- Use the filter option to isolate the break-glass account by its username.
- Set up alerts for any sign-in activities involving the break-glass account to be proactively informed of its use.
Q: Should a break-glass account have Multi-Factor Authentication enabled?
A: Yes, it’s recommended to enable Multi-Factor Authentication (MFA) for a break-glass account for increased security. However, you should also have a process in place for MFA bypass in case the MFA service is not available, to ensure that the break-glass account can always be accessed in an emergency.
Q: Can I create multiple break-glass accounts in Azure AD?
A: Yes, it’s a good practice to have at least one emergency access account and consider having multiple to ensure redundancy. These accounts should be cloud-only, highly privileged accounts reserved for emergency scenarios.
Q: How do I ensure my break-glass account is secure but usable in an emergency?
A: You can secure your break-glass account by:
- Setting a long, complex password that is changed regularly.
- Enabling MFA but having a documented process for MFA bypass.
- Limiting sign-in attempts to reduce the risk of lockout.
- Monitoring the account with Azure AD sign-in and audit logs.
- Storing the credentials securely, such as in a physical safe or a secured password manager with limited access.
Q: What is the risk of not having a break-glass account?
A: Without a break-glass account, you run the risk of being locked out of Azure AD and unable to manage resources if your regular admin accounts are compromised or unavailable. This can lead to significant downtime and potential security risks.
Q: How often should break-glass account passwords be rotated?
A: Break-glass account passwords should be rotated according to your organization’s policy for critical credentials, which is often more frequent than regular user accounts. A recommended practice is to change these passwords every 60-90 days, or immediately after they have been used.
Q: How do I exclude break-glass accounts from regular policies?
A: To exclude break-glass accounts from regular policies:
- Go to the Azure portal and navigate to Azure Active Directory.
- Select the appropriate policy from ‘Security’ or ‘Conditional Access’.
- When configuring the policy, use the ‘Exclude’ section to add your break-glass accounts.
- Save the policy.
Q: How do I create emergency access accounts in Microsoft 365?
A: To create emergency access accounts in Microsoft 365:
- Sign in to the Azure portal as a global admin.
- Access Azure Active Directory, then go to “Users.”
- Choose “New user” and create a cloud-only account that uses Azure MFA for added security.
- Assign the necessary administrator roles to this account, ensuring it has sufficient permissions to perform recovery actions.
Q: What are break glass account best practices in Azure?
A: Best practices for setting up a break-glass account include:
- Using Microsoft Azure AD to create the account with a strong, unique password.
- Ensuring the break-glass account has global admin privileges but is excluded from policies that may lock out the account.
- Setting up alerts to monitor the account’s sign-ins and trigger notifications for any activity.
- Regularly reviewing the account’s security by using the Azure portal’s Microsoft 365 security features.
Q: What steps should I take to use a break-glass account securely?
A: To securely use a break-glass account:
- Only access the account when necessary and ensure that the sign-in is justified and documented.
- After use, review the account activities by sending logs to Azure Log Analytics.
- Implement Azure MFA for the account to add an extra layer of security and minimize the risk of unauthorized access.
Q: How can admin accounts ensure the security of the Microsoft 365 ecosystem?
A: Administrator accounts can ensure the security of the Microsoft 365 ecosystem by:
- Regularly auditing admin activities, especially those related to high-level accounts with Microsoft cloud services.
- Creating accounts with specific roles and permissions to limit the exposure of high-privilege operations.
- Utilizing Azure AD’s security features to set up conditional access policies and monitor for any abnormal account activity.
Q: How should global admin set up alerts for break-glass accounts in Azure?
A: Global admins can set up alerts for break-glass accounts by:
- Navigating to Azure AD sign-in logs within the Azure portal.
- Configuring alert settings to trigger notifications upon sign-in activities of break-glass accounts.
- Ensuring these alerts are sent to Azure Log Analytics for monitoring and analysis.
Q: What are the best practices for creating and using a break-glass account with Microsoft 365?
A: Best practices for creating and using a break-glass account with Microsoft 365 include:
- Using Azure AD to create a dedicated “break glass” account with high privileges that can bypass typical security policies in emergencies.
- Ensuring the account is excluded from policies that could inadvertently lock it out.
- Using the break-glass account sparingly and monitoring its usage closely through the Azure portal.
Q: How can administrators securely create a break-glass account in the Azure portal?
A: Administrators can securely create a break-glass account in the Azure portal by:
- Accessing Azure AD and selecting ‘New user’ to create an account specifically for emergency access.
- Choosing a complex and secure password that is stored securely and known only to a limited number of personnel.
- Setting the account type to exclude it from multi-factor authentication requirements, to ensure access is possible even if MFA services are down.
Q: How do you connect and ensure the security of Azure break-glass accounts for Microsoft 365 tenants?
A: To connect and secure Azure break-glass accounts for Microsoft 365 tenants:
- Use the Azure portal to administer these accounts ensuring that they are configured with appropriate permissions.
- Regularly audit the accounts to validate that they remain secure and ready for use.
- Implement monitoring solutions that track sign-in and usage patterns of the break-glass accounts to detect unauthorized access.
breakglass account log analytics to monitor azure ad accounts create a break glass account to use a break glass account accounts should be cloud-only accounts use azure log analytics azure log analytics to monitor use the break glass type of accounts