The backdoor to your Microsoft 365 tenant

break glass for key

🚪 And, yes, there should be a back door. The backdoor should of course be closed, have a very strong lock, and an alarm. In this post, I’ll explain why and what this backdoor is from the Microsoft 365 and Entra ID perspective.

🪟 The backdoor I am talking about are so-called break glass accounts, or emergency access account as Microsoft names them.

You use these accounts to get access if you lose the key to the front door, or if the front door is broken. I’ll stop with the door analogies here and spell this in Entra ID language:
– 🧑‍💻Multi-factor authentication (MFA) doesn’t work because of some technical problem
– 🔒You accidentally lock yourself out, for example with a bad Conditional Access (CA) policy

What are the typical characteristics of break-glass accounts?
– 🌍They are Global Administrators
– 🆔They do not require MFA
– 👥They are added to a security group created for this purpose. It should be role-assignable so only privileged administrator roles can add users to this group.
– 👻The group should be exempt from all CA policies

🏦For best security, use a FIDO2 key to secure these accounts. Unlike regular MFA, FIDO2 does not rely on any third-party/cloud service to function. For even stronger security, one person could store the physical FIDO2 key, and another the PIN for the FIDO2 key – and storage location could for example be a safe.

Another approach is to create a CA policy requiring phishing-resistant MFA for break glass accounts.

📜You can also use a very strong password (100+ random characters) written down on a piece of paper and stored in a secure location. This was common before FIDO2 became generally available, and will for most smaller companies probably give a sufficient security level.

✌️The break-glass accounts should be “.onmicrosoft.com” accounts. You should have at least two accounts, and set them up so that break glass accounts are not dependent on a single person to be available.

👀Lastly, you should monitor these accounts. When somebody tries to log in with a break glass account, multiple persons should get alerts via e-mail and SMS. Monitoring also applies for the security group.

And of course – remember to test your break glass accounts!

☎️If you’ve lost access to your tenant without having set up an emergency access account, you’ll need to contact Microsoft to regain access. This process might take some time. If you have a CSP partner, things might speed up, as these partners have delegated administrative access. Either case, you do not want to be dependent on the time and resources of external parties.

🎛️ Bottom line: take control of your emergency access today!

If you want a better overview of your privileged accounts, take a look at our service Proactive Monitoring Service. I’ll be happy to schedule a free demo for you!

Recent Services Blogs
Recent News
Recent Blogs
  • #71 - Nytt år, nya möjligheter
    by teamspodden on 06/02/2025 at 15:30

    I detta avsnitt av Teamspodden diskuterar Linus Cansby och Mårten aktuella ämnen som stress i distansarbete, konsultpriser, verktyg som Slack och Teams, samt nyheter relaterade till Teams och Copilot. De pratar också om den kommande Teamsdagen och möjligheten för internationella talare. Länkar Teamsdagen 2025 Ny arbetsplatsundersökning: Stressen högst på distans | SVT Nyheter Konsultprisutveckling What’s New in Microsoft Teams | January 2025 | Microsoft Community Hub

  • #70 - God Jul och ett Gott Nytt Teamsår
    by teamspodden on 20/12/2024 at 11:48

    Tiden går fort när man har roligt och det har vi verkligen haft, 2024 är redan över och vi hoppar snart in i 2025. Tack för att ni har lyssnat 2024 och hoppas att ni vill vara med oss i Teamspodden under 2025 också. I detta avsnitt diskuterar Linus och Mårten julstämning, reflektioner över året som gått, och statistik kring deras podd. De pratar om nya funktioner i Teams, hur användningen av plattformen har förändrats, och ser fram emot framtiden med Copilot och dess påverkan på arbetsflöden. Julstämning och reflektioner är viktiga vid årets slut. Podden har nått nya lyssnare och åldersgrupper. Statistik visar att lyssnare är mest aktiva i Sverige. Nya funktioner i Teams har förändrat användarupplevelsen. Copilot förväntas revolutionera hur vi arbetar med Microsofts verktyg. Det är viktigt att hålla sig uppdaterad med nya funktioner. Lyssnarnas feedback är avgörande för poddens utveckling. Det finns en stor skillnad i hur Teams används beroende på organisationens storlek. Framtiden ser ljus ut för podden och dess innehåll. Det är viktigt att ha kul och vara kreativ i arbetet.

  • Pro-Level Travel and Conference Survival Guide
    by Simon Skotheimsvik on 16/12/2024 at 15:02

    The Pro-Level Travel and Conference Survival Guide post is a collection of practical advice and lifehacks to help you thrive as a conference attendee or speaker. This living document evolves with fresh insights from global travels.… The post Pro-Level Travel and Conference Survival Guide first appeared on Simon does.

  • Ignite 2024 Review
    by All Things M365 Compliance on 09/12/2024 at 12:11

    Your One-Stop-Shop for All Things Purview from Ignite. Ryan and Nikki take a look at the newly announced Purview, roles, features and solutions! Announcement Blogs:- aka.ms/DSPMblog aka.ms/DLPblog aka.ms/SecurityforAIIgnitenews aka.ms/CC/Ignite aka.ms/DLM/Ignite aka.ms/MIPblog aka.ms/CopilotinPurviewIgniteNews aka.ms/IRMIgniteNews

  • EP23: Sebastian Zamorano - Microsoft Purview Rich Reports (MPARR)
    by All Things M365 Compliance on 05/12/2024 at 13:32

    We talk to Sebastian Zamorano regarding the rich reports you can pull from Purview. There is a number of amazing reports that you can pull through from labelling, to admin access. This is a must for anyone wanting additional reporting from Purview. There's even a set up guide in the GitHub Link below. In addition here are the links to the content and his LinkedIn profile: https://www.linkedin.com/in/profesorkaz/ Here's all the good stuff: https://github.com/ProfKaz/PowerShell-Functions/blob/main/README.md

Scroll to Top