Emergency Access Accounts

Overview

This blog post introduces the concept of emergency access accounts—what they are, why they're essential, and how to manage them securely, including recent recommendations for authentication. The post will focus on M365 controls but the general concepts can be taken away.

What are Emergency Access Accounts?

An emergency account, sometimes called a "break-glass" account, is an administrative account intended strictly for emergency use. It's designed to provide "all-access" in situations where standard admin credentials are unavailable.

Why Use Emergency Access Accounts?

Emergency accounts are essential for maintaining access during unexpected outages or critical events. Some scenarios where they may be needed include:

• Network outages or hardware failure
• Service issues beyond your control
• Natural disasters affecting trusted IP locations
• Sudden loss of privileged accounts
• Malicious attacks on your accounts
• Accidental lockouts due to configuration changes

This list is not exhaustive but highlights common situations where emergency accounts can prevent or mitigate access issues.

Best Practices for Secure Configuration

Emergency access accounts are highly privileged and typically exempt from routine policies. To ensure they remain secure yet accessible when needed, follow these best practices:

1. Create Two Emergency Access Accounts
   Provisioning two emergency accounts is recommended. This allows redundancy and alternating dependencies for authentication, adding control and flexibility. Use secure authentication methods distinct from those used by standard admin accounts.
   Account Naming: The account name (e.g., breakglass01 or john.smith) is less critical than its role, so don't get too caught up on it! However, using non-descriptive names adds a layer of obscurity. Regardless, each account will still hold the Global Admin role.
   Domain suffix and Syncing: Emergency access accounts should use the default *.onmicrosoft.com domain for your tenant. They should not be federated or synced from on-premises environments to maintain independence from potential local failures.
2. Exclude from Most Conditional Access Policies
   To ensure availability during emergencies, exclude these accounts from all but a few essential conditional access policies. While it's important to protect these accounts, applying restrictive policies could inadvertently lock them out. You may want to enforce phishing-resistant MFA or restrict one account to specific office IP addresses or device GUIDs for an additional layer of security.
3. Assign the Global Admin Role Permanently
   During emergencies, access should be immediate and straightforward, without requiring role assignments. Permanently assigning the Global Admin role minimizes delays and reduces complexity under pressure.
4. Limit Password and MFA Device Availability
   Emergency account credentials should be unique, long and securely stored. Ideally, these accounts would be passwordless, eliminating the need to know the password. However, if a password or security key is required, restrict access to only those who absolutely need it, likely excluding most of your day to day IT team. If passwordless is being utilised the security key or passkey should be made unavailable to most users, locked away and only accessed when required.
5. Implement Strong, Phishing-Resistant MFA
   With new MFA enforcement policies in Azure and Entra portals, it's advisable to implement phishing-resistant MFA methods, such as FIDO2-based passkeys or passwordless options. Configure conditional access policies to require these robust authentication methods for these accounts.
6. Enable Monitoring and Alerting
   Activate monitoring and alerting for emergency access accounts to notify you or your security team of account usage. This enables timely detection of unexpected activity and quick investigation. Ideally, these accounts should only be accessed for periodic testing or in real emergencies.
7. Conduct Testing
   Finally, regularly test access to these accounts. There's nothing worse than being in an emergency to find your accounts can't actually login and help during the event you've prepared for. A simple login and permission check is all that's needed to make sure the accounts are ready when you need them.

Whilst this is not an extensive list of best practices it should get you started to correctly configuring and securing emergency access accounts within your tenant!

Summary

Emergency access accounts are a critical safeguard in ensuring access continuity during crises. Following the best practices above provides a foundation for securing these accounts while maintaining their availability. For more assistance with secure Microsoft 365 tenant configuration, emergency accounts or general tenant security, feel free to reach out to CND.