Explained: Establish two emergency access accounts for critical situations, ensuring continuity and security in your system - Microsoft 365
Emergency access or "break glass" accounts are reserved for emergency situations when regular administrative accounts are unavailable. These accounts are not assigned to a specific user and are subject to a combination of physical and technical controls to prevent unauthorized access except in a true emergency.For example the inaccessibility of the last remaining Global Administrator account.
Ensure that two Emergency Access accounts have been defined.
Why Establish two emergency access accounts for critical situations, ensuring continuity and security in your system - Microsoft 365?
In certain circumstances, an organization might find it necessary to utilize a break glass account for emergency access. Loss of access to administrative functions can severely impact an organization's ability to provide support, compromise its understanding of its security status, and potentially lead to financial losses.
Which Microsoft License Is This Recommended For?
This security setting is recommended for atleast E3 Level 1 which aims to be practical and sensible, Offer a distinct security advantage, and does not inhibit the functionality of the technology beyond acceptable means.
How to Establish two emergency access accounts for critical situations, ensuring continuity and security in your system - Microsoft 365:
Step 1 - Creating two emergency access accounts:
- Go to the Microsoft 365 admin center at https://admin.microsoft.com
- Navigate to Users > Active Users.
- Click "Add a user" and create a new user with a name that does not identify it with a specific person, assign the account to the default .onmicrosoft.com domain, not the organization's, generate a randomly generated password of at least 16 characters,
- Do not assign a license and assign the user the Global Administrator role.
Step 2 - Excluding at least one account from conditional access policies:
- Access the Microsoft Enterprise admin center at https://entra.microsoft.com/.
- Navigate to Azure Active Directory > Protect & Secure > Conditional Access.
- Review the conditional access policies.
- For each policy, add an exclusion for at least one of the emergency access accounts.
- Under Users > Exclude > Users and groups, select one emergency access account
Step 3 - Ensuring necessary procedures and policies are in place:
- For effective use of accounts in a break glass scenario, authorize and distribute proper policies and procedures by senior management..
- If FIDO2 Security Keys are used, ensure they are securely stored in a separate fireproof location.
- Review the conditional access policies.
- Passwords should be at least 16 characters long, randomly generated, and optionally split into multiple pieces for emergency joining.
What business impact does the security best practice "Establish two emergency access accounts for critical situations, ensuring continuity and security in your system - Microsoft 365" have?
Improper implementation of an emergency access account could compromise the security posture of an organization. To mitigate this risk, Microsoft recommends excluding at least one of these accounts from all conditional access rules. Therefore, passwords for these accounts must have sufficient entropy and length to resist random guessing. Alternatively, FIDO2 security keys may be used as a secure passwordless solution.
How to verify the security best practice "Establish two emergency access accounts for critical situations, ensuring continuity and security in your system - Microsoft 365" has been implemented:
Step 1 - Ensure organization policies and procedures are in place:
- For effective utilization of accounts in a break-glass scenario, proper policies and procedures must be authorized and distributed by senior management.
- If FIDO2 Security Keys are used, store them securely in a separate fireproof location.
- Passwords should be at least 16 characters long, randomly generated, and may be separated into multiple pieces to be joined in an emergency.
- Do not assign a license and assign the user the Global Administrator role.
Step 2 - Ensure two emergency access accounts are defined:
- Go to the Microsoft 365 admin center at https://admin.microsoft.com.
- Navigate to Users > Active Users.
- Ensure the emergancy accounts are named appropriately and do not identify with a specific person, use the default .onmicrosoft.com domain, not the organization's, are cloud-only, are unlicensed, and are assigned the Global Administrator directory role.
Step 3 - Ensure at least one account is excluded from all conditional access rules:
- Access the Microsoft Enterprise admin center at https://entra.microsoft.com/.
- Navigate to Azure Active Directory > Protect & Secure > Conditional Access.
- Review the conditional access rules.
- Ensure that one of the emergency access accounts is excluded from all rules.