Break glass accounts - best practices

Good evening everyone!

Here is a new blog post about Break Glass Accounts / Emergency accounts in Entra ID.

What is emergency accounts and why do we need them?

Break glass account is an account that is only accessible in an emergency situation, like a cyber-attack. It's a global admin account that can help to restore access to your employees and your clients once any threats have been removed.

Let's take a look on how to create an Break glass account

First of all Sign in to Entra and go to Groups -> All groups --> New group

Choose type: Security

Call it for example BG accounts, give the group a description (optional) and choose membership: Assigned

Press Create

Now go to Admin center and press Users -> Active Users --> Add a User

Create a user account, give it a name, for example BG1 and generate a strong password. I'm using Bitwarden for this purpose. Remember! Always use .onmicrosoft.com domains on this accounts to avoid problems with sign-ins.

Don't assign any licenses to this user and press Next

Give this user account Global administrator role and press Next

Now, review and press Finish adding

Add this user to BG account group from Teams and groups --> Active teams and groups

Go back to Entra ID and go to Protection --> Authentification Methods --> Press on Temporary Access Pass and enable this method

This will help us to register a security key on this account, because phishing resistant MFA can only be registered with at least one other active MFA method. Since this is a Break glass account we can't and don't want to register MFA methods like Microsoft authenticator or SMS.

Now go to Users , search for your user account --> Choose Authentification methods on user page and Add Authentification method, choose Temporary Access Pass

Choose activation duration- 1 hour and press Add

Now, copy paste your TAP and go to https://aka.ms/mysecurityinfo

Login in to your account with generated TAP

Now, press add sign in method and choose Security key

Choose USB device

Follow the instructions to register your security key

Choose Security key

Set up your PIN

And

Great !

After you press OK now, you will be redirected to Security info page again

Give your security key a name and press Next and Finish

Now repeat all this steps again and create account number 2, and add another security key on each account, this is highly recommended, in case if number one get's stolen or lost.

If your environment doesn't have a Conditional Access policy which enforces a phishing resistant MFA on admin roles such as Global administrators, than create one and don't exclude this group from this policy, but remember to exclude this group from other policies. You can of course also add this group to a trusted location policy as well if you want so, for example only allow sign ins from your countries IP's or trusted IP's for more stronger security.

Don't forget to store your PIN codes and security keys in a safe place ! They should be stored separately.

And of course, this accounts should also be monitored it depends on your licenses. If you have active subscription you can use Log Analytic Workspace / Azure Monitor to trigger sms or email alerts. Ifyou have M365 license or Defender for Cloud App license you can set up Defender for Cloud Apps policy to trigger email alerts. Check out my blog posts on how to setup monitoring for break glass accounts.

And always test this accounts every 30-60 days and NEVER use them to do daily admin tasks!