Multifactor authentication(MFA) and break the glass account

Multifactor authentication is a hot topic. And so is the increase in securing organization accounts.

Microsoft are providing the ability to utilize SMS, email, phone call or app authentication as a second factor in secure logins.

Follow this link to how to “Set up multi-factor authentication”:
https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
 
But what do you do if these services are not available? It could be a telecom outage where you do not have a signal to receive phone call or SMS. Or it could be that the Microsoft 365(and Azure) platform have degraded service so that you cannot use email or app authentication.

And you need to login to do some changes. Now. Immediately. Asap.

This is where break the glass (BTG) accounts come into place. Microsoft recommends having at least one emergency account. This account should not be personal and must be excluded from MFA.

It should have a complex password, and the usage must be extra monitored.

Microsoft have created a good guide for this: https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access#monitor-sign-in-and-audit-logs


This account must also be excluded from the MFA registration policy in Identity Protection:

The Identity Protection blade in the Azure Portal

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: