how to exempt break glass account from AAD free when default security is turned on?

Question

how to exempt break glass account from AAD free when default security is turned on?

Betty Stolwyk 70

We have the free Azure AD license. We received the notification that default Security will be turned on in about 10 days. From what I understand that forces MFA for ALL users. We have, however, the recommended break glass emergency account which should be exempt from MFA. Is there a way to do that without using conditional access (which we do not have.)

Accepted answer

1 additional answer

Your answer

Answer 1

Givary-MSFT 35,456 Microsoft Employee

@Betty Stolwyk Thank you for reaching out to us, As I understand you want to exempt emergency access accounts (break glass) from MFA, researched on your requirement in order to exclude the break glass account from MFA only option we have is to exclude via Conditional access - https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access#:~:text=Exclude%20at%20least%20one%20account%20from%20Conditional%20Access%20policies

Also, you might be aware conditional access comes with P1 or P2 license - https://www.microsoft.com/en-us/security/business/identity-access/azure-active-directory-pricing

However as @Dillon Silzer shared in his answer reference article - https://janbakker.tech/break-glass-accounts-and-azure-ad-security-defaults/ where they mentioned to use FIDO key to break glass account, but there is a limitation to it if accidentally someone deletes the FIDO2 key from the account without knowing, then we will have a challenge in accessing the Azure AD resources when we really need it.

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Givary-MSFT 35,456 Reputation points Microsoft Employee

2023-04-05T06:28:06.8+00:00

@Betty Stolwyk Thank you for your feedback regarding this, in your case (having Azure AD Free license) and want to leverage break-glass account setup you can disable security defaults which is not a recommended option as it helps protect your organization from identity-related attacks by having MFA for everyone. However I am checking with my team if we have any other approach to your issue, will keep you posted.
Betty Stolwyk 70 Reputation points

2023-04-06T03:21:31.3733333+00:00

@Givary-MSFT , Thank you for your response. We do have MFA turned on for all our users with the exception of our break glass account. I will probably go with disabling the security defaults since I don't really see another practical way of addressing this inherent conflict. I did appreciate @Dillon Silzer 's response below, but that too does not really address the intended use and need of the break glass account, which is intended to be free of sign-in dependencies since it's use will be under the circumstances of some major problem such as a lost device or something. So I do not want to have the break glass account dependent on a piece of hardware such as what would be required for the FIDO key. The single-factor authentication for a break glass account is recommended exactly for that reason, to be free of other dependencies. Thank you for checking with your team. Given all our other user accounts are already set up with MFA, I am relatively satisfied with just disabling security defaults though, thank you.

Answer 2

Dillon Silzer 57,686

Hello Betty,

Please refer to this guide for creating a break glass account for Azure AD with security defaults enabled:

Break glass accounts and Azure AD Security Defaults

https://janbakker.tech/break-glass-accounts-and-azure-ad-security-defaults/

Betty Stolwyk 70 Reputation points

2023-04-05T01:02:15.8366667+00:00

Dillon, Thank you for that article reference. That's the closest I've seen of an actual acknowledgement of the conflict of Security Defaults and break glass accounts. We are getting messages that Security Defaults will be turned on but with no information or guidance about what to do with our break glass accounts.

The article you referenced was very interesting, and would certainly be an option, but I was hoping for something that would still leave the break glass account usable with no external dependencies such as a piece of hardware. If I understand the FIDO security key, that will require a USB stick, correct? From what I understand, one of the properties of a break glass account is to not be dependent on external devices, given the assumption that the reason you may need the break glass account is because of some unforeseen problem scenario such as a lost device. I believe that was part of the reason it was recommended that the break glass account not require MFA to start with. I may be expecting too much, but I'm very surprised about them forcing MFA on, yet not even addressing the conflict that would arise with the recommended break glass account(s). However, I do appreciate the option at least, that you recommended!

Share via

how to exempt break glass account from AAD free when default security is turned on?

1 additional answer

Your answer