Break Glass Account for Office 365 Login During Emergency Situations

On Day 4 of Cybersecurity awareness month, learn to conceal your organization from cyber threats today. Stay tuned for more blogs in the Cybersecurity blog series.

A sudden hindrance during work affects our productivity, think of an incident that happened in the past caused due to the MFA outage, that led all the office 365 users to face log-in issues. Admins were most affected during the incident.What if the same happens in the future? An emergency account with different MFA authentication methods is required

“We are never more in danger than when we think ourselves most secure, nor in reality more secure than when we seem to be most in danger.”

                                                                                                                       ~ William Cowper

What is Break Glass Account?

Always being prepared is the best practice. So, we need a break glass account to help us with emergency situations. A break glass account is a substitute account for your regular admin account with global admin privilege, used in emergency situations.  Generally, it is not suggested to assign a license to a break glass account.

Why Do You Need Break Glass Account?

Break glass account is your way out of all the below-mentioned situations.

• When the authentication method used for MFA is in an outage , the users cannot log in to their accounts.
• If you set up your admin account with a conditional access policy, getting yourself locked out from the tenant.
• If the Global admin of the organization left, the information related to the account must be recovered.
• In the worst case due to any natural calamities all the mobile service can be down.

What Are the Do’s and Don’ts for Creating a Strong Break Glass Account?

A break glass account is a highly permissioned account, so access to these accounts must be regulated. The following do’s and don’ts will be helpful to maintain a safer break glass account.

Do’s

• The break glass account must be equipped with a complex password that includes the alphabet, symbols, numerals, etc.,
• This account must be provided with the “Global Admin” privilege.  
• This account must be connected to a cloud to reduce Privilege Identity Management and federation issues.
• Providing an unusual name to the break glass account to keep the account away from password spray attacks. E.g.: Mailtemplate@org.com

Don’ts

• These accounts must be excluded from all the conditional access policies.
• MFA authentication must be disabled for a break glass account.

Do We Need to Disable MFA Authentication?

We use the break glass account to make an entry during emergency situations. MFA outage can also stop us from signing into our account. It doesn’t mean you need to disable MFA, you just can set a different mechanism of MFA for the break glass account. The regular SMS authentication method must be avoided.

How To Create a Break Glass Account?

Creating a break glass account is the same as creating a new user in Azure Active Directory. The difference is the configuration you set for the account. The Previously mentioned Guidelines can be followed to create a user.

• Go to Azure Active Directory admin center.
• Select the User option.
• Click New User→Create New User.
• Enter the required details and Click Create.

How To Preserve Break glass Account?

A break glass account is an account with Global Admin privilege, the user who accesses the account will get entire access to the organization and sensitive data. So, it is important to maintain it in a proper manner. The most effective ways to maintain the break glass account are

• Protecting the password
• Checking Sign in using audit logs
• Setting up Login alerts

Protecting the Password:

Setting a strong password for the break glass account is not enough, storing it also plays a major role. So, how to store it? We can save the password by segregating the password into two or more pieces and storing it in a fireproof safe place. The other way is by providing access to the password only to the admins of the organization.

Checking Sign-In Using Audit Logs:

Being a highly privileged account, it is important to keep an eye on the log-in activities of the break glass account. To monitor sign-in activities,

1. Go to Azure Active Directory Admin Center.
2. Select Audit Log from the Left pane.
3. The audit activities are displayed, click the Add filter and select Initiated by field.
4. Then enter the break glass account name and click Apply.

Setting up Login Alert:

All the time we can’t check on the sign-in activities manually instead, we can set an alert that notifies us whenever a user signs in using the break glass account. To create an alert policy, you can follow the listed steps.

1. Go to the Security Admin center.
2. Click Policies and rules under the Email & collaboration category.
3. Navigate to Activity alerts.
4. Click New alert Policy.
5. Under the activities section select “User logged in” and fill in the other details.
6. Click Save.

In general, a break glass account is an emergency entrance to your organization that provides you with all the admin access. Having one or two break glass accounts in your organization is recommended based on the size of the organization.  Hope we have fulfilled your requirements regarding the break glass accounts. If you have any further queries, feel free to reach us through social media. We would be glad to assist you!

---