Implementing an Azure Break Glass Account for Enhanced Security

An Azure Break Glass account is a specialized account that allows for emergency access to Azure resources, enabling administrators to respond quickly to security incidents or system failures.

This account is designed to provide a secure and controlled way to access Azure resources, even when regular access methods are unavailable.

The Break Glass account is typically used for tasks such as resetting passwords, accessing locked-out accounts, or gaining emergency access to Azure resources.

It's essential to note that the Break Glass account should only be used in exceptional circumstances, as it compromises the security of your Azure environment.

A break-glass account is a type of emergency access account used in a corporate organization's recovery plan. These accounts are privileged and should only be used when normal admin accounts can't sign in, such as issues with ADConnect sync or Conditional Access lock-out.

Break-glass accounts are important for helping with access issues, like locking yourself out of access with Conditional Access policies, service outages, or federation services issues. They have MFA protection, making it more important to protect and monitor them for each event.

Emergency access accounts should not be associated with any individual user in the organization, and should not be connected with employee-supplied mobile phones, hardware tokens, or other employee-specific credentials. This ensures that if an individual employee is unreachable, the credential can still be used.

A break-glass account should be a cloud-only account using the *.onmicrosoft.com domain and not federated or synchronized from an on-premises environment. This helps prevent issues with access and ensures that the account can be used in emergency situations.

Here are some examples of when to use a break-glass account:

These accounts are extremely privileged, so access data should be stored in a secure place, like a lock safe. They don't have conditional access policies, making them easily accessible with correct login data.

To set up a break glass account, you should create a new user in Azure Active Directory (AAD) with a unique and recognizable name. This account should be top secret and excluded from all built-in access control policies, as you'll be the one using it in exceptional cases.

Your break glass account should be excluded from all services, including federation services, to ensure it remains isolated and secure. It's also essential to use a cloud-only account with the *.onmicrosoft.com domain, rather than a federated or synchronized account from an on-premises environment.

To create the account, go to the Azure Portal and navigate to Azure Active Directory > Users. Create a new user with a username in the format @yourdomain.onmicrosoft.com, and assign the Global Administrator Role to it. Make sure to copy the new user name and password to a safe location, as you'll need them later.

Here's a step-by-step guide to creating a break glass account:

To set up a Break Glass Account, you'll need to meet some prerequisites. Microsoft Sentinel is a necessity, so make sure it's in place.

You'll also need to connect Azure Active Directory connector. This is a crucial step, as it allows for seamless integration.

An emergency account must be configured beforehand. This will serve as the foundation for your Break Glass Account.

You'll need the Break-glass account Object ID, which will be used to monitor the account.

To summarize, here are the prerequisites you'll need to meet:

To set up a Break Glass Account, you'll need to create a user option in Azure AD. This account should have a strong password, with at least 16 characters and as complex as possible, including both capital and small letters, numbers, and special characters.

You can use the Azure Portal to create a new user, and make sure to use @.onmicrosoft.com as the Username. This is a crucial step, as it will help you distinguish this account from others in Azure AD.

When creating the account, be sure to name it something recognizable, such as Emergency Access Account or Break Glass Account. This will make it easier to identify the account in Azure AD.

You should also assign the GlobalAdmin role to your account, so it has all the privileges needed to help you in emergencies.

Here are the key steps to create a user option for your Break Glass Account:

Azure Break Glass Account offers robust security features to safeguard your sensitive information. This includes multi-factor authentication, which requires both a password and a separate verification method, such as a code sent to your phone.

This adds an extra layer of protection against unauthorized access. Azure Break Glass Account also includes encryption, which scrambles your data so it can't be read by anyone without the decryption key.

The account's secure token service ensures that all connections are encrypted, reducing the risk of data interception.

To allow FIDO2 and Temporary Access Pass, head over to the Azure Portal and configure authentication policies to enable both FIDO and Temporary Access Pass for a newly created security group.

Create a new security group and add both break-glass accounts to it for better management.

Enable both FIDO and Temporary Access Pass for the newly created group in the authentication policies blade.

This step is crucial for allowing the use of FIDO keys and Temporary Access Pass for break-glass accounts.

By following these steps, you'll be able to create a new Temporary Access Pass for your break-glass accounts in the next step.

A break glass account is an emergency access account used when normal admin accounts can't sign in due to issues like ADConnect sync or Conditional Access lock-out.

These accounts are privileged and should only be used in exceptional cases, such as when the ADFS environment is down, or Azure Multi-factor authentication service is unavailable.

Break glass accounts have MFA protection and should be excluded from all built-in access control policies to prevent accidental usage.

It's essential to create a new security group and add both break-glass accounts to the new group for better management.

Temporary Access Pass can be used in conjunction with break glass accounts, allowing for secure and temporary access to critical systems.

The temporary access pass should be captured for the next step in the process.

Here are some examples of high-risk situations where a break glass account should be used:

It's crucial to store access data in a secure place and limit password time durations to control and reduce the account's usage to only when necessary.