Go passswordless in break the glass account

Published by Mika Vilpo on

TL;DR; Easiest way to really secure your Break the Glass account is use FIDO2 security key and store the key in the physical safe.

Having way to login to Azure AD management plane after configuration mistake or during technical hiccup is something that every organization should address and plan. Creating account that can be used during emergency can save your day in the future.

Currently most of you creates account with long and complex password that is placed in safe, maybe even in two parts, and that account is excluded from all security controls namely Conditional Access Policies. Excluding from policies is needed as there might be configuration mistake or technical problem in enforced MFA method. Not enforcing MFA could potentially create security issue although use of this account creates alert – right?

FIDO2 Security key to rescue!

Why to use FIDO2 security key for authentication for break the glass accounts:

  • It has native two factor authentication (2FA): You need to have the key and know the PIN.
  • As native 2FA, can be bypassed on all Conditional Access rules and still have more security than just using username and password.
  • Can be placed in real life safe. Other 2FA methods are harder to store in safe. PIN can be stored in other location if needed.
  • Same account can have multiple keys placed in different locations.

When FIDO2 security keys are in use, you should create very long and complex password for that account and forgot that instantly, as there is no way to remove password from account – yet. Plan also key rotation, that could even be automatically happening and no human should know that.

Remember also to create alerting rules when break the glass account is used as it should be normally used. This is commonly forgotten.

More information about planning and managing emergency access can be found from: Manage emergency access admin accounts – Azure AD | Microsoft Docs and more information about going passwordless can be found from my previous blog: https://bloggerz.cloud/2021/10/25/life-without-passwords/

Categories: Azure ADConditional AccessEnterprise Mobility + SecurityMicrosoft 365 SecurityMulti-factor authenticationPrivileged Identity ManagementSecurity
Tags:

Mika Vilpo

I started my current employment as an Identity and Access Management Consultant building challenging automated solutions and have recently shifted more to public cloud as there the future of identity and automation lies. I have seen Office 365 evolve from Live@Edu to current strengths and love to see how to story evolves. Currently I am building customers' architecture and solutions based on Microsoft Azure PaaS and IaaS.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Azure AD

Life without passwords

Best way to prevent password leaks is to go passwordless Social engineering and technical tweaks compromise credentials every day. There have been methods to overcome these problems but they were too complicated for larger adoption Read more…

Azure AD

Protect all your cloud apps with Azure AD and Cloud App Security

I had a session about protecting all your cloud applications with Azure AD and Cloud App Security from unmanaged devices in Nordic Virtual Summit 2021 on 10.2.2021. I wrote this article to carry out pretty Read more…

Azure AD

Azure AD Privileged Identity Management bulk updates with PowerShell

What is Azure AD Privileged Identity Management? I’m not going into the basics of PIM but you can read it from Microsoft Docs. I strongly recommend to spend the extra budget and effort and deploy Read more…