Enterprises depend on the continuous operation of their systems and networks to keep them in business. But what happens when users are locked out of Azure AD and can’t obtain critical information from Microsoft 365? The consequences of such an event may include missing critical deadlines resulting in revenue losses. For this reason, network administrators must set up break glass accounts for Microsoft Azure AD to ensure continuous connectivity.
When You Need Break Glass Accounts
Microsoft outlines various reasons when such accounts are necessary.
- User logins are federated, meaning they use the same login across multiple systems. However, when the system that authenticates federated logins fail, all users lose access to Microsoft 365.
- Multi-factor authentication cannot be completed due to a network outage, causing failure with individual devices and local phone service. This outage can occur as a result of a catastrophic event such as a natural disaster.
- A Global Administrator is either unavailable or has left the company and the account is unrecoverable.
Best Practices for Emergency Access Accounts
Emergency access accounts should follow these requirements:
- Access accounts from the cloud only using the *.onmicrosoft.com domain and not be federated or associated with accounts on-premise.
- Do not associate the account with individual users or devices, including company-issued mobile phones and hardware tokens or other employee credentials. Doing so avoids being dependent on one user’s login credentials for access.
- Keep registered devices with multiple ways of communicating with Azure in a secure location.
- Share emergency access account information with a few authorized users. Then, store passwords separated into two to three parts in fireproof containers in secure locations with each on different paper.
- Use strong, hard-to-guess passwords with 16, randomly generated characters.
- Use a separate authentication process for the emergency access account. If using on-premises Multi-Factor Authentication, for example, Azure AD MFA is a different authentication method. However, suppose you use the AD MFA across all administrative accounts. In that case, use a separate approach, such as Conditional Access with a third-party MFA provider through Custom controls. Exclude one emergency account from Conditional Access policies to ensure it does not block access.
- The device that accesses the emergency account must never expire or be included in automated routine clean-up processes.
- Permanently assign the Global Administrator role to make sure that it never expires.
- Ensure that at least one emergency access account does not use the same MFA processes as the non-emergency accounts, including third-party MFA. For example, accounts with phone-based MFA can be used for an attack if the password is compromised.
- For organizations using an identity provider, configure an emergency access account that can be backed by a certificate. The AD authentication enables ADFS to communicate MFA requirements to Azure AD. Cloud-based emergency access accounts must still be available in case the federation process does not allow access.
Monitoring Emergency Account Activity
Use Azure Log Analytics to monitor the emergency accounts’ log-in activities. These analytics verify if the accounts are accessed for testing or true emergencies.
Before using this function, Azure AD and Azure Monitor logs must be integrated to allow monitoring for comparison of Azure AD sign-ins with the Security Center’s records. This integration allows reports such as audit logs, sign-in logs, and provisioning logs accessibility for analysis.
Obtain object IDs of the break-glass accounts as follows:
- Sign in to the Azure portal with a user administrator role.
- Select Azure Active Directory.
- From the menu on the left, select Users.
- Find the emergency account and select the user’s name.
- Copy and save the Object ID attribute for future use.
- Repeat the above steps for the second emergency account.
Creating the Alert Log
Use Azure Log Analytics and Azure Monitor Alerts to create the alert log to send notifications when someone accesses emergency accounts.
- Sign in with an Azure Portal account assigned to the Monitoring Contributor role in Azure Monitor.
- In the portal, click on All Services. In the search, type, Log Analytics.
- Select Log Analytics workspaces and then select a workspace.
- In the workspace, select Alerts, then click on New Alert Rule.
- Check under Resource that the subscription is the one you are associating with the alert rule. Under Condition, select Add.
- Under Signal Name, select Custom Log Search.
- Search Query, enter the information in the format as follows, using the two emergency accounts’ object IDs.SigninLogs
where UserID ==”492e2f604-5c21-412c-9580-51c91069c9ba” or UserID=”a253eb9f-e960-4fec-9eae-d91530e08c24″
- Under Alert Logic, enter the information, as shown below:Based on: Number of results
Operator: Greater than
Threshold value: 0
- Under Evaluated Based On, select the Period (in minutes) on the desired length of time the query will run and the Frequency (in minutes) for how often it should run. The frequency should be less than or equal to the period.
- Click on Done. The estimated monthly cost of the alert is now viewable.
Creating an Action Group
The next step is to select an action group of users who will receive alert notifications. If not previously complete, action groups configure as follows:
- Select Create An Action Group. A set of fields to complete will appear.
- Under Action Group Name, enter the full description of the group, such as who is notified. Under Short Name, give a shorter name to describe the group.
- Verify the information in the Subscription and Resource Group fields is correct.
- For Action Type, select Email/SMS/Push/Voice. For Action Name, enter the event, such as Notify global admin.
- Under Edit Details, enter the notification method, along with the necessary contact information. Click on OK to save this information.
- With additional actions, enter the information before selecting OK.
- After the creation and selection of the action group, the notification actions can be set up under Customize Actions. Under Alert Details, specify the alert rule name. Add an optional description here.
- Set the event’s Severity Level. Microsoft recommends using Critical (Sev 0).
- Under Enable Rule Upon Creation, this should be set to Yes.
- The Suppress Alerts checkbox can be checked to turn off the alerts. Enter the duration of time before the next alert event and select Save.
Periodic Follow up of Emergency Accounts
Ensuring the security of the emergency accounts and user familiarity with policies and procedures governing them, the following steps should be taken on a regular basis. Microsoft recommends these actions be taken every 90 days, if there is a change in IT staff or if the Azure AD subscriptions have changed.
- Security staff responsible for monitoring must be aware that account checks are ongoing.
- Review and update emergency account access documentation.
- Train administrators and security staff who may need emergency access accounts.
- Regularly update passwords for the emergency access accounts and ensure that they can sign in and perform as expected.
- Verify that MFA or self-service password resets don’t register on user devices. Accounts that use MFA on a device must be accessible by administrators for use in an emergency. The device must communicate on alternate network paths in case of a failure, i.e, both cellular and the organization’s wireless network.
Establishing emergency or break glass accounts ensures that the Azure AD system can be accessible in unforeseen circumstances such as network failures or other reasons for administrative access loss. Then, verify and update these accounts as necessary, should such an event occur at any time.
Agile IT is a cloud-first managed services company offering a variety of computing solutions to businesses across many sectors. Thus, contact us if you need assistance with security and compliance in Microsoft 365 and request a free consultation today.