Manage emergency access accounts in Azure Active Directory B2C
It's important that you prevent being accidentally locked out of your Azure Active Directory B2C (Azure AD B2C) organization because you can't sign in or activate another user's account as an administrator. You can mitigate the impact of accidental lack of administrative access by creating two or more emergency access accounts in your organization.
When you configure these accounts, the following requirements need to be met:
The emergency access accounts shouldn't be associated with any individual user in the organization. Make sure that your accounts aren't connected with any employee-supplied mobile phones, hardware tokens that travel with individual employees, or other employee-specific credentials. This precaution covers instances where an individual employee is unreachable when the credential is needed. It's important to ensure that any registered devices are kept in a known, secure location that has multiple means of communicating with Azure AD B2C.
Use strong authentication for your emergency access accounts and make sure it doesn’t use the same authentication methods as your other administrative accounts.
The device or credential must not expire or be in scope of automated cleanup due to lack of use.
- If you haven't already created your own Azure AD B2C Tenant, create one now. You can use an existing Azure AD B2C tenant.
- Understand user accounts in Azure AD B2C.
- Understand user roles to control resource access.
- Understand Conditional Access
Create emergency access account
Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the .onmicrosoft.com domain and that aren't federated or synchronized from an on-premises environment.
Use the following steps to create an emergency access account:
Sign in to the Azure portal as an existing Global Administrator. If you use your Microsoft Entra account, make sure you're using the directory that contains your Azure AD B2C tenant:
Select the Directories + subscriptions icon in the portal toolbar.
On the Portal settings | Directories + subscriptions page, find your Azure AD B2C directory in the Directory name list, and then select Switch.
Under Azure services, select Azure AD B2C. Or in the Azure portal, search for and select Azure AD B2C.
In the left menu, under Manage, select Users.
Select + New user.
Select Create user.
For User name, enter a unique user name such as emergency account.
For Name, enter a name such as Emergency Account
Under Password, enter your unique password.
Under Groups and roles
In the pane that shows up, search for and select Global administrator, and then select Select button.
Under Settings, select the appropriate Usage location.
Once you create your emergency accounts, you need to do the following:
If you use Conditional Access, at least one emergency access account needs to be excluded from all conditional access policies.