INFO: How to manage break-glass accounts in Microsoft Entra ID
Lukas Beran is a Senior Cybersecurity Consultant and part of Microsoft’s famed Diagnostics & Recovery Team (DART) now renamed Microsoft Incident Response Team (MIRT) These are Microsoft’s cybersecurity shocktroopers that swoop in when you call 911 & need cybersecurity help now, now, now. (Breach, ransomware, DDOS, etc.)
His blog is loaded with great advice but one thing he’s written about recently that everyone could use some help with is break glass accounts for Entra ID.
Do you have a break glass account in Entra ID? If not, read on:
When you start tightening the requirements for access to your corporate cloud, it can be easy to accidentally lock yourself out and cut yourself off from access to the admin interface.
Alternatively, some part of Microsoft Entra ID may fail. For example, there have been a couple of times in the past where multi-factor authentication in Microsoft Entra ID has had a failure and you couldn’t authenticate.
The above are the primary reasons why you should have break-glass accounts (or also known as emergency access accounts) in your environment. Break-glass accounts are special accounts with the highest privileges that are used for emergency access when standard options and methods are not available. Like just the two reasons mentioned above.
Break-glass accounts should be exempted from all restrictions, i.e. typically from all conditional access policies. They will not require MFA, they will not require compliant devices, there will be no restrictions on them at all.
kurtsh
Kurt Shintaku's Blog 
You must be logged in to post a comment.