In the complex landscape of corporate cloud management, the tightening of access controls is essential for bolstering security. However, this process can inadvertently lead to self-lockouts, cutting off access to crucial administrative interfaces. Moreover, occasional failures in components like multi-factor authentication (MFA) within Microsoft Entra ID further emphasize the necessity for backup plans. Enter break-glass accounts, also known as emergency access accounts, offering a lifeline during such crises.
Understanding Break-Glass Accounts
Break-glass accounts serve as bastions of privilege, reserved exclusively for emergency situations where standard access methods fail. These accounts operate outside the confines of regular restrictions, exempt from conditional access policies and MFA requirements. They ensure uninterrupted access to critical systems and data, circumventing unforeseen hurdles like authentication failures.
Determining Break-Glass Account Numbers
Regardless of organizational size, the presence of break-glass accounts is imperative. While at least one account is recommended, having two offers redundancy and configuration diversity, minimizing single points of failure.
Securing Break-Glass Accounts
Securing break-glass accounts demands a dual approach encompassing technical and organizational measures.
Technical Measures:
Primary Account:
Utilize FIDO2 keys, offering password-less and phishing-resistant authentication. Employ long, randomly generated passwords, stored securely and discarded after setup. Apply a dedicated conditional access policy mandating phishing-resistant authentication.
Secondary Account:
Employ strong, randomly generated passwords for emergency usability. Ensure password manageability without electronic vaults, favoring secure offline storage methods like paper printouts.
Organizational Measures:
Access Management:
Distribute access responsibilities across multiple individuals to prevent single-point misuse. For large organizations, segregate FIDO2 keys and passwords to different custodians, enhancing accountability.
Physical Security:
Safeguard break-glass account credentials by storing them in secure locations like safes, mitigating the risk of unauthorized access.
Best practices:
- Create two or more emergency accounts.
- Cloud-only accounts that use the *.onmicrosoft.com domain.
- Cannot be federated or synchronized from an on-premises environment.
- Account name should be misdirected, such as break-glass1@MyDomain.onmicrosoft.com and break-glass2@MyDomain.onmicrosoft.com
- Account is enabled.
- Global Administrator role is permanently assigned.
- Must not be connected to mobile phones or workstation devices.
- Do not use MFA methods such as Windows Hello for Business, SMS, OATH, or Microsoft Authenticator.
- Validate the account as part of business resumption and disaster recovery plans.
- Monitor and alert on all logins.
- Account does not need to be licensed.
- Use FIDO2 key to secure break-glass accounts.
- Excluded from all conditional access policies. Except for conditional access policies specifically designed to protect the break-glass account. Secure the account with a single CA that requires the FIDO2 security key.
- A password for an emergency access account is usually broken into two or three parts, written on separate pieces of paper, and stored in secure, fireproof safes in secure, separate locations.
- If you use passwords, make sure the accounts have strong passwords that do not expire. Ideally, passwords should be at least 20 characters long with uppercase and lowercase symbols and special characters and randomly generated.
- Divide the password into 3 parts. For example, Team leader A gets parts 1 & 2, Team leader B gets parts 2 &. 3, and Team leader C gets 1 & 3. You need at least 2 people to answer the phone or be around to get the combined password. Redundancy if someone is unavailable. Of course, all the people giving their parts should be trusted to keep it secure but reachable.
- Do a test after a few weeks to make sure everything is running smoothly or revisit the setup. Be sure to create the new password after testing.
- The cool thing about old ways of storing passwords, like envelopes, is that they can’t be compromised remotely. To get the contents, someone has to actually break into a place. So sometimes the old ways are pretty good.
Monitoring Break-Glass Accounts with Microsoft Sentinel
Rigorous monitoring is paramount to detect and respond to break-glass account activity effectively. Microsoft Sentinel provides a robust platform for this purpose, offering advanced threat detection and automated response capabilities. Any account usage should trigger high-risk security incident reports within Microsoft Sentinel, ensuring prompt intervention and accountability.
In essence, break-glass accounts serve as indispensable safety nets in the tumultuous terrain of corporate cloud management. By meticulously implementing and safeguarding these accounts, organizations can navigate unforeseen crises with resilience and confidence.