🚪 And, yes, there should be a back door. The backdoor should of course be closed, have a very strong lock, and an alarm. In this post, I’ll explain why and what this backdoor is from the Microsoft 365 and Entra ID perspective.
🪟 The backdoor I am talking about are so-called break glass accounts, or emergency access account as Microsoft names them.
You use these accounts to get access if you lose the key to the front door, or if the front door is broken. I’ll stop with the door analogies here and spell this in Entra ID language:
– 🧑💻Multi-factor authentication (MFA) doesn’t work because of some technical problem
– 🔒You accidentally lock yourself out, for example with a bad Conditional Access (CA) policy
What are the typical characteristics of break-glass accounts?
– 🌍They are Global Administrators
– 🆔They do not require MFA
– 👥They are added to a security group created for this purpose. It should be role-assignable so only privileged administrator roles can add users to this group.
– 👻The group should be exempt from all CA policies
🏦For best security, use a FIDO2 key to secure these accounts. Unlike regular MFA, FIDO2 does not rely on any third-party/cloud service to function. For even stronger security, one person could store the physical FIDO2 key, and another the PIN for the FIDO2 key – and storage location could for example be a safe.
Another approach is to create a CA policy requiring phishing-resistant MFA for break glass accounts.
📜You can also use a very strong password (100+ random characters) written down on a piece of paper and stored in a secure location. This was common before FIDO2 became generally available, and will for most smaller companies probably give a sufficient security level.
✌️The break-glass accounts should be “.onmicrosoft.com” accounts. You should have at least two accounts, and set them up so that break glass accounts are not dependent on a single person to be available.
👀Lastly, you should monitor these accounts. When somebody tries to log in with a break glass account, multiple persons should get alerts via e-mail and SMS. Monitoring also applies for the security group.
And of course – remember to test your break glass accounts!
☎️If you’ve lost access to your tenant without having set up an emergency access account, you’ll need to contact Microsoft to regain access. This process might take some time. If you have a CSP partner, things might speed up, as these partners have delegated administrative access. Either case, you do not want to be dependent on the time and resources of external parties.
🎛️ Bottom line: take control of your emergency access today!
If you want a better overview of your privileged accounts, take a look at our service Proactive Monitoring Service. I’ll be happy to schedule a free demo for you!