Share via

MFA required vs. break glass account

ChristopherHerms-9443 20 Reputation points
2024-09-09T14:24:30.8266667+00:00

Hello everyone!

We received an email notification for our tenant stating that MFA will be required for every user in our tenant from October 15, 2024 onward. That is no problem as all our users are already required to use MFA. Except one: our break glass account or emergency access account. What shall we do with this account as it is not supposed to have any connection to a person? Do you have any suggestions regarding this situation? Thank you in advance.

Best regards,

Christopher

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. TP 126.4K Reputation points Volunteer Moderator
    2024-09-09T14:29:10.15+00:00

    Hi Christopher,

    I recommend you set up your break glass account to use FIDO2 key (e.g. YubiKey).

    Starting July 2024, Azure teams will begin rolling out additional tenant-level security measures to require multi-factor authentication (MFA) for all Users. As already documented use strong authentication for your emergency access accounts. We recommend updating these accounts to use FIDO2 or certificate-based authentication (when configured as MFA) instead of relying only on a long password. Both methods will satisfy the MFA requirements.

    https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access#exclude-at-least-one-account-from-conditional-access-policies

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Rourke 21 Reputation points
    2024-10-16T16:31:59.5933333+00:00

    The link below is to a postponement form for this new requirement. Importantly, it spells out exactly how this will work and provides links to tools to understand where you may have gaps in your environment:

    https://aka.ms/managemfaforazure

    It was not until we reviewed this that we fully understood exactly how this is going to work. Keep in mind the enforcement date is on or after 10/15/2024. As of this writing, I was still able to access the Azure and Entra admin portals using our break glass account authenticating with only a password, so this does not appear to be fully in effect for all tenants.

    You should carefully review the (now updated) Microsoft guidance on managing emergency access. It suggests both that at least one emergency access account should be excluded from all CA policies and that these policies will be overridden when accessing certain admin portals (MFA will be required). These two things don't necessarily contradict each other (you'll need MFA to access some admin portals, but your break glass account won't be dependent on your Conditional Access architecture), but I can understand why people are so confused by this.

    Here's how we've decided to handle this, for what it's worth:

    • Our break glass account is excluded from all MFA policies.
    • The account has a very long passphrase stored in separate parts and in secure locations per Microsoft's guidance.
    • We set up multiple FIDO2 keys, which are stored in secure locations. We will try to use these keys to log in to the break glass account and only fall back to the password if necessary.
    • We test both authentication methods for the account every 90 days.
    • We have Azure alerts set up to notify all admins whenever the account is used via email and text message.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.