Share via

Securing break glass account for access from multiple geographical locations?

EnterpriseArchitect 6,326 Reputation points
2024-10-18T14:08:19.78+00:00

Based on this news announcement 

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/update-on-mfa-requirements-for-azure-sign-in/ba-p/4177584 https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/update-on-mfa-requirements-for-azure-sign-in/ba-p/4177584 https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication

What options are available to secure a break glass account when my IT team is distributed across various geographical locations?

It is impractical, if not impossible, to have multiple MFA tokens for a single break-glass account.

Microsoft Security | Intune | Security
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh Vallamkonda 15,350 Reputation points Moderator
    2024-11-08T08:32:01.5+00:00

    Hi @EnterpriseArchitect

    Thank you for reaching Microsoft Q&A Forum!

    If you have a single account that multiple users need to access, the best course of action would be to create a group in Azure AD and add the users who need access to that group. Then, you can grant the group access to the necessary resources or applications. This way, you can manage access to the account more easily and ensure that only authorized users have access.

    To further secure the account, you can use Conditional Access to enforce multi-factor authentication (MFA) for all users accessing the account.
    Restrict access based on location, ensuring that only approved locations or IP addresses can access the account.

    Also, you can enable PIM to manage, control, and monitor access to important resources. PIM allows you to provide just-in-time privileged access and requires approval for role activation

    For any Azure resources that require a service identity, use Azure managed identities. This helps in managing and securing service accounts.

    Reference: https://learn.microsoft.com/en-us/entra/architecture/secure-best-practices

    https://learn.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity
    Hope this helps. Do let us know if you any further queries by responding in the comments section.

    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

  2. Abiola Akinbade 30,480 Reputation points Volunteer Moderator
    2024-10-19T23:50:24.5633333+00:00

    Hello EnterpriseArchitect

    Thanks for your question.

    The recommendation is updating these accounts to use passkey (FIDO2) or configure certificate-based authentication for MFA. Both methods satisfy the MFA requirement.

    User's image This is dcoumented in the planning section here: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication

    You can mark it 'Accept Answer' and 'Upvote' if this helped you

    Regards,

    Abiola

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.