Back to basics - The Importance of "Break Glass" Accounts

Don't be like Bill and Ben - Manage emergency access accounts in Microsoft Entra ID!

When it comes to setting up and managing critical security measures such as Break Glass accounts or monitoring changes to privileged accounts in Microsoft Entra, it's essential not to fall into the trap of assumption. Often, in a busy organizational environment, there's a common misconception that "someone else has probably already taken care of it."

So ask the question to your team today!

And now for some light hearted Monday morning story time!

The Misadventure of Bill and Ben: A Tale of Locked-Out Global Admins - “A Chat GPT” story.

Chapter 1: A Small Oversight

In the bustling city of Technoville, Bill and Ben worked as the IT administrators for a renowned company, Widget Inc. Known for their expertise and diligence, they were the guardians of the company's digital realm. One fine morning, they decided to revamp their security measures by implementing a new conditional access policy in Microsoft Entra ID. The aim was simple: enhance security without compromising accessibility.

As they enthusiastically configured the new policy, a tiny detail slipped their minds. They forgot to exclude their own Global Admin accounts from the new stringent rules they were setting up. Little did they know, this oversight would soon lead to an unexpected adventure.

Chapter 2: The Lockout

The next day, as the first rays of the sun hit the glass facades of Widget Inc., Bill and Ben arrived at work, ready to tackle the day. However, their routine was abruptly disrupted when they found themselves unable to log into their Global Admin accounts. The new conditional access policy had locked them out, treating them as potential unauthorized access.

Panic ensued as they realized the gravity of the situation. The company's entire IT infrastructure was now out of their reach. They couldn't manage user accounts, access critical data, or even reverse the policy they had set.

Chapter 3: The Quest for a Solution

Determined to resolve the crisis, Bill and Ben embarked on a quest to regain access. They first tried reaching out to their fellow IT colleagues, but no one else had the necessary privileges. The clock was ticking, and the pressure was mounting.

That's when Bill remembered reading about Emergency Access or "Break Glass" accounts. These were special accounts set up precisely for scenarios like this - a locked-out situation where standard admin accounts couldn't be used. But there was a problem - Widget Inc. had never set up such an account.

Chapter 4: Lessons Learned

As the day turned into evening, Bill and Ben, with the help of Microsoft support, were finally able to restore their access through a series of verification steps and security checks. It was a relief, but also a wake-up call.

They immediately set up two Emergency Access accounts, ensuring they were cloud-only, with complex passwords and excluded from all conditional access policies. They documented the entire process and conducted a training session for the IT team, emphasizing the importance of these accounts and the lessons learned from their experience.

Chapter 5: A New Dawn

Bill and Ben's misadventure became a tale of caution and learning within Widget Inc. They had turned their mistake into an opportunity to strengthen the company's security posture. From then on, they were not just the IT admins but also the champions of proactive planning and crisis management.

As peace returned to Widget Inc., Bill and Ben looked back at their ordeal not with regret, but with a sense of accomplishment. They had faced an unprecedented challenge and emerged wiser, more prepared, and with a story that would be told for years to come.

Don’t be like Bill and Ben. Set this up or Verify you stance NOW!

Understanding the "Break Glass" Concept

In the world of digital security, being prepared for every contingency is paramount. This is where the concept of an "Emergency Access" or "Break Glass" account comes into play, especially in the context of Microsoft Entra ID management. These accounts are like having a spare key to your house; they're not meant for daily use, but in times of crisis, they can be lifesavers.

Why Set Up an Emergency Access Account (‘s)?

Imagine being locked out of your organization's administrative controls due to unforeseen circumstances like a conditional access change or even the departure of a key employee. Accounts may become inaccessible, people may not be available, making it impossible to perform necessary administrative tasks. This is where emergency access accounts become invaluable. They are specially designed to be used in such critical situations to ensure continued access and control.

Creating Your Emergency Lifeline: Step-by-Step Guide

Setting up an emergency access account in Microsoft Entra ID involves several careful steps:

1. Account Creation: Sign in as a Global Administrator in the Microsoft Entra admin center. Navigate to Identity > Users > All users, and create new user accounts, assigning them the Global Administrator role. These should be cloud-only accounts, not linked to any individual.

2. Secure Password Management: Assign long, complex passwords to these accounts. Ideally, split the password into parts and store them securely in different locations.

3. Exclusion from Policies: Ensure that at least one account is exempt from phone-based multifactor authentication and Conditional Access policies. This reduces the risk of being locked out due to policy enforcement.

4. Monitor and Alert: Set up alerts in Azure Log Analytics or Microsoft Sentinel to monitor any sign-in or audit log activities for these accounts, ensuring they are used only during emergencies.

5. Regular Validation: Periodically validate these accounts to ensure they are functional and the process to use them is well understood by the necessary staff.

Monitor Changes to privileged accounts with Microsoft Sentinel?

Take a look at other items to consider alongside monitoring GA in your tenant!

• Privileged account creation

• Changes to authentication methods

• Alert on changes to privileged account permissions

• Unused privileged accounts

• Accounts exempt from Conditional Access

• Addition of a Temporary Access Pass to a privileged account

Ensuring Safety and Compliance

While creating these accounts, it's crucial to:

• Avoid associating them with individual user credentials. Make it random. Security thru obscurity.

• Use distinct authentication methods from regular administrative accounts.

• Regularly update and validate account credentials and processes. Build this into your quarterly maintenance schedule or audit.

Why This Matters?

Emergency access accounts are a critical component of a robust security strategy, providing a safety net against the unexpected. They ensure continuity, prevent potential lockouts, and maintain the integrity of your administrative processes in crisis situations

Get the official docs here! Take a read then take action!

#MicrosoftSecurity

#MicrosoftLearn

#MicrosoftDefenderXDR

#MicrosoftSentinel

#CyberSecurity