introduction
any organization might require for an emergency account in the Azure Active Directory. for many difficult situation including but NOT limited to :
- The administrator registers with Azure Multi-Factor Authentication (MFA) and all their personal devices are not available or even stolen 🙁
- All synchronized account with admin access are deleted and or disabled by malicious attack
- Unforeseen situation like natural disasters or earthquake, fire outbreaks etc.
- mobile service is NOT available from Internet service provider ISP
emergency account characteristics
Emergency access account is a highly privileged cloud-only Azure AD user account that we’ll use only in an emergency.
- Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the @pioneers101.onmicrosoft.com domain and that are NOT @networkspioneers.com
- emergency account should have the following characteristics :
- associated permanently with the Global Administrator Azure AD role
- configured with a non-expiring password
- exempt from Azure MFA policies [excluded]
- exempt from Conditional Access or Identity Protection policies
- the account should not be made eligible to activate the Global Administrator role via Azure AD Privileged Identity Management. PIM
- The password you assign to the emergency access account should be at least 16 characters long and generated (pseudo)randomly
- do not associate our emergency access account with any human beings at your organization
- Must have a complex password, preferably split into two parts, stored in envelopes at two different secure locations in fireproof safes
- Be sure to monitor break glass accounts in Azure AD sign-in logs and audit logs and act on any unexpected activity.
audit emergency account
Organizations should monitor sign-in and audit log activity from the emergency accounts and trigger notifications to other administrators.
When you monitor the activity on break glass accounts, you can verify these accounts are only used for testing or actual emergencies.
You can use Azure Log Analytics to monitor the sign-in logs and trigger email and SMS alerts to your admins whenever break glass accounts sign in.
