On Day 4 of Cybersecurity awareness month, learn to conceal your organization from cyber threats today. Stay tuned for more blogs in the Cybersecurity blog series.
A sudden hindrance during work affects our productivity, think of an incident that happened in the past caused due to the MFA outage, that led all the office 365 users to face log-in issues. Admins were most affected during the incident.What if the same happens in the future? An emergency account with different MFA authentication methods is required
“We are never more in danger than when we think ourselves most secure, nor in reality more secure than when we seem to be most in danger.”
~ William Cowper
What is Break Glass Account?
Always being prepared is the best practice. So, we need a break glass account to help us with emergency situations. A break glass account is a substitute account for your regular admin account with global admin privilege, used in emergency situations. Generally, it is not suggested to assign a license to a break glass account.
Why Do You Need Break Glass Account?
Break glass account is your way out of all the below-mentioned situations.
- When the authentication method used for MFA is in an outage , the users cannot log in to their accounts.
- If you set up your admin account with a conditional access policy, getting yourself locked out from the tenant.
- If the Global admin of the organization left, the information related to the account must be recovered.
- In the worst case due to any natural calamities all the mobile service can be down.
What Are the Do’s and Don’ts for Creating a Strong Break Glass Account?
A break glass account is a highly permissioned account, so access to these accounts must be regulated. The following do’s and don’ts will be helpful to maintain a safer break glass account.
- The break glass account must be equipped with a complex password that includes the alphabet, symbols, numerals, etc.,
- This account must be provided with the “Global Admin” privilege.
- This account must be connected to a cloud to reduce Privilege Identity Management and federation issues.
- Providing an unusual name to the break glass account to keep the account away from password spray attacks. E.g.: Mailtemplate@org.com
- These accounts must be excluded from all the conditional access policies.
- MFA authentication must be disabled for a break glass account.
Do We Need to Disable MFA Authentication?
We use the break glass account to make an entry during emergency situations. MFA outage can also stop us from signing into our account. It doesn’t mean you need to disable MFA, you just can set a different mechanism of MFA for the break glass account. The regular SMS authentication method must be avoided.
How To Create a Break Glass Account?
Creating a break glass account is the same as creating a new user in Azure Active Directory. The difference is the configuration you set for the account. The Previously mentioned Guidelines can be followed to create a user.
- Go to Azure Active Directory admin center.
- Select the User option.
- Click New User→Create New User.
- Enter the required details and Click Create.
How To Preserve Break glass Account?
A break glass account is an account with Global Admin privilege, the user who accesses the account will get entire access to the organization and sensitive data. So, it is important to maintain it in a proper manner. The most effective ways to maintain the break glass account are
- Protecting the password
- Checking Sign in using audit logs
- Setting up Login alerts
Protecting the Password:
Setting a strong password for the break glass account is not enough, storing it also plays a major role. So, how to store it? We can save the password by segregating the password into two or more pieces and storing it in a fireproof safe place. The other way is by providing access to the password only to the admins of the organization.
Checking Sign-In Using Audit Logs:
Being a highly privileged account, it is important to keep an eye on the log-in activities of the break glass account. To monitor sign-in activities,
- Go to Azure Active Directory Admin Center.
- Select Audit Log from the Left pane.
- The audit activities are displayed, click the Add filter and select Initiated by field.
- Then enter the break glass account name and click Apply.
Setting up Login Alert:
All the time we can’t check on the sign-in activities manually instead, we can set an alert that notifies us whenever a user signs in using the break glass account. To create an alert policy, you can follow the listed steps.
- Go to the Security Admin center.
- Click Policies and rules under the Email & collaboration category.
- Navigate to Activity alerts.
- Click New alert Policy.
- Under the activities section select “User logged in” and fill in the other details.
- Click Save.
In general, a break glass account is an emergency entrance to your organization that provides you with all the admin access. Having one or two break glass accounts in your organization is recommended based on the size of the organization. Hope we have fulfilled your requirements regarding the break glass accounts. If you have any further queries, feel free to reach us through social media. We would be glad to assist you!
Unleash AdminDroid’s Powerful Insights for Admin Account Security
Break glass accounts, which possess powerful permissions, require stringent regulations for effective management. While Office 365 audit logs offer valuable insights, their limitations can hinder the comprehensive auditing of critical events. That’s where AdminDroid Microsoft 365 reporter comes into play, offering dedicated reports 📊specifically focused on admin activities!
With AdminDroid, you can stay on top of account changes with dedicated admin dashboards and report boards that offers a complete visibility into admin activities and a wide range of Microsoft 365 admin reports including,
- All Global Admins
- Admins with Management Roles
- Admins with Read Access Roles
- Admin Roles by Users
- Administrative Apps
- Admins with Password Never Expire
- Admins without MFA
For every Office 365 admin, the AdminDroid Microsoft 365 reporting tool is a must-have solution for effectively monitoring and managing administrative actions. Further, it provides insightful reports on accounts that need to be given special attention in the organization, such as admin role changes, license reports, password reports, group reports, etc.
AdminDroid Azure AD management tool offers over 190 insightful reports for administrative activities. But that’s not all – this platform also offers more than 1800 all-inclusive reports and over 30 dashboards for a variety of other Office 365 services, including Exchange Online, Microsoft Teams, OneDrive for Business, and more.
Don’t wait any longer! Download AdminDroid today and enjoy seamless Office 365 monitoring.