It is important that you prevent being accidentally locked out of your Microsoft Entra organization because you can’t sign in or activate another user’s account as an administrator. You can mitigate the impact of accidental lack of administrative access by creating two or more emergency access accounts or break glass accounts (BGA account) in your organization.
I will also show Break Glass Account Notifications.
Emergency access accounts are highly privileged, and they are not assigned to specific individuals. Emergency access accounts are limited to emergency or “break glass”‘ scenarios where normal administrative accounts can’t be used. We recommend that you maintain a goal of restricting emergency account use to only the times when it is absolutely necessary.
During an emergency, you do not want a policy to potentially block your access to fix an issue. If you use Conditional Access, at least one emergency access account needs to be excluded from all Conditional Access policies.Â
Security Guideline for the BGA account
- Should have a complex password
- There should be a list of admins that are allowed to use this account
- Preferable at least 2 accounts in your tenant
- Store the passwords in a safe place intern or extern your company
- Monitor the sign-ins
Configuration Guideline for the BGA account
Must have the Global Administrator role assigned
Must have password set to never expire
Must not have MFA configured
Must be excluded from ALL Conditional Access policies
Must be a cloud-only account
Should use the tenants *.onmicrosoft.com domain
Should not be synchronized with on-prem AD
Should not be connected with any employee-supplied mobile phones or hardware tokens.
Prerequisites
- An Azure Subscription.
- A Break Glass Account. (With password never expires set, excluded from ALL Conditional access polices and excluded from MFA and Self Service Password Reset registration)
- The object id of the Break Glass Account gathered from Entra ID.
How To Configure
Log Analytics Workspace Setup
In your Azure subscription create a new resource group e.g. RG-BGANotifications.
In this resource group create a log analytics workspace e.g. LAW-BGANotifications.
Go to Azure AD – Diagnostic Settings, click add diagnostic setting.
Fill in the name, tick on AuditLogs and SigninLogs, tick Sent to Log Analytics workspace and select the correct subscription and the correct workspace.
Click save on the top left corner.
Create Alert Rule
Go to the LAW-BGANotifications log analytics workspace and click on Alerts. Click create custom alert rule.
On the conditions tab click see all signals.
Select custom log search.
in the search query copy this:
SigninLogs
| project UserId
| where UserId == "object ID of the BGA account you got from Entra ID"
Leave all settings as is, Under Alert Logic, Threshold value enter a 0.
Create Action Group
Click next: Actions.
Click Create action group and fill in as in the screenshot.
                                             Â
Click Next: Notifications and fill the necessary email addresses and phone numbers.
                                             Â
Click Next: Actions.
Click Next: Tags.
Click Next: Review + create.
Click Create.
Now you will see the Action group under the Create an alert rule – Actions tab.
Create an Alert Rule
Click Next: Details and fill in as in the screenshot.
Click Next: Tags.
Click Next: Review + create.
Click Create.
Now you will see your created Alert rule under the Alert rules tab.
                                             Â
Summary
Now you can test your notifications by login in with your BGA account. After the log in you should receive an email and an SMS message.
Best Practices for periodically testing the BGA account:
Staff members who can use emergency access accounts and validate the emergency access accounts, at minimum do the following steps at regular intervals:
- Ensure that security-monitoring staff are aware that the account-check activity is ongoing.
- Ensure that the emergency break glass process to use these accounts is documented and current.
- Ensure that administrators and security officers who might need to perform these steps during an emergency are trained on the process.
- Update the account credentials, in particular any passwords, for your emergency access accounts, and then validate that the emergency access accounts can sign-in and perform administrative tasks.
- Ensure that users have not registered Multi-Factor Authentication or self-service password reset (SSPR) to any individual user’s device or personal details.
- If the accounts are registered for Multi-Factor Authentication to a device, for use during sign-in or role activation, ensure that the device is accessible to all administrators who might need to use it during an emergency. Also verify that the device can communicate through at least two network paths that do not share a common failure mode. For example, the device can communicate to the internet through both a facility’s wireless network and a cell provider network.
These steps should be performed at regular intervals and for key changes:
- At least every 90 days
- When there has been a recent change in IT staff, such as a job change, a departure, or a new hire
- When the Azure AD subscriptions in the organization have changed
Any comments that Microsoft will enforce MFA for all admin centers soon. So our Break Glass Account need to be configured with MFA. Any suggestions? What MFA should we use, who should have access to the MFA?
I need to update this guide. There are some new best practices regarding bga accounts. I didn’t have time yet.