Academy hub

M365 Break Glass Accounts

๐Ÿ”’ Secure Bits ๐Ÿ’ก

๐—ฌ๐—ผ๐˜‚๐—ฟ ๐˜๐—ฒ๐—ป๐—ฎ๐—ป๐˜ ๐—ต๐—ฎ๐˜€ ๐—–๐—” ๐—บ๐—ถ๐˜€๐—ฐ๐—ผ๐—ป๐—ณ๐—ถ๐—ด๐˜‚๐—ฟ๐—ฎ๐˜๐—ถ๐—ผ๐—ป. ๐—˜๐˜ƒ๐—ฒ๐—ฟ๐˜† ๐—ฎ๐—ฑ๐—บ๐—ถ๐—ป ๐—ถ๐˜€ ๐—น๐—ผ๐—ฐ๐—ธ๐—ฒ๐—ฑ ๐—ผ๐˜‚๐˜. ๐——๐—ผ ๐˜†๐—ผ๐˜‚ ๐—ต๐—ฎ๐˜ƒ๐—ฒ ๐—ฎ ๐˜„๐—ฎ๐˜† ๐—ฏ๐—ฎ๐—ฐ๐—ธ ๐—ถ๐—ป?

Most organizations donโ€™t โ€” or think they do, until they discover their break-glass accounts are untested, unmonitored, or built on outdated guidance. You donโ€™t want to find that out the hard way, and you definitely donโ€™t want to go through Microsoftโ€™s Tenant Recovery process.

๐Ÿค” ๐—ช๐—ต๐˜† ๐—ฐ๐—ฎ๐—ฟ๐—ฒ?

A lockout from a bad CA policy, a compromised admin, or a personnel emergency means opening a support ticket with Microsoft and waiting. In urgent situations, you donโ€™t have 14 days for that process.

๐Ÿง  ๐—ช๐—ต๐—ฎ๐˜ ๐˜„๐—ฒ ๐˜€๐—ฒ๐—ฒ ๐—ถ๐—ป ๐˜๐—ต๐—ฒ ๐—ณ๐—ถ๐—ฒ๐—น๐—ฑ

โ€ข ๐—•๐—ฟ๐—ฒ๐—ฎ๐—ธ-๐—ด๐—น๐—ฎ๐˜€๐˜€ ๐—ฎ๐—ฐ๐—ฐ๐—ผ๐˜‚๐—ป๐˜๐˜€ ๐—ฎ๐—ฟ๐—ฒ ๐—บ๐—ถ๐˜€๐˜€๐—ถ๐—ป๐—ด โ€” Two geographically separated accounts is the baseline.

โ€ข ๐—š๐—ฒ๐—ป๐—ฒ๐—ฟ๐—ถ๐—ฐ ๐—ป๐—ฎ๐—บ๐—ฒ๐˜€ โ€” admin@โ€ฆ, info@โ€ฆ are not break-glass accounts.

โ€ข ๐—™๐˜‚๐—น๐—น ๐—–๐—” ๐—ฒ๐˜…๐—ฐ๐—น๐˜‚๐˜€๐—ถ๐—ผ๐—ป ๐—ถ๐˜€ ๐—ฑ๐—ฒ๐—ฎ๐—ฑ โ€” MFA is now enforced by Microsoft regardless.

โ€ข ๐—ช๐—ฒ๐—ฎ๐—ธ ๐—ฎ๐˜‚๐˜๐—ต ๐—บ๐—ฒ๐˜๐—ต๐—ผ๐—ฑ๐˜€ โ€” Phone or certificate-based auth will fail exactly when you need it.

โ€ข ๐—จ๐—ป๐—ฝ๐—ฟ๐—ผ๐˜๐—ฒ๐—ฐ๐˜๐—ฒ๐—ฑ ๐—ฎ๐—ฐ๐—ฐ๐—ผ๐˜‚๐—ป๐˜๐˜€ โ€” Any admin can edit or delete them.

โ€ข ๐—ก๐—ผ ๐—บ๐—ผ๐—ป๐—ถ๐˜๐—ผ๐—ฟ๐—ถ๐—ป๐—ด โ€” If someone touches these accounts, you should know immediately.

๐Ÿ› ๏ธ ๐—–๐—ฟ๐—ฒ๐—ฎ๐˜๐—ฒ ๐˜๐˜„๐—ผ ๐—ฎ๐—ฐ๐—ฐ๐—ผ๐˜‚๐—ป๐˜๐˜€

Use descriptive names on onmicrosoft[.]com with a random string โ€” e.g. BreakGlass_c3287ba1[@]org.onmicrosoft[.]com. Assign ๐—š๐—น๐—ผ๐—ฏ๐—ฎ๐—น ๐—”๐—ฑ๐—บ๐—ถ๐—ป๐—ถ๐˜€๐˜๐—ฟ๐—ฎ๐˜๐—ผ๐—ฟ as a direct, permanent, active role. No eligibility.

๐Ÿ› ๏ธ ๐—Ÿ๐—ผ๐—ฐ๐—ธ ๐˜๐—ต๐—ฒ๐—บ ๐—ฑ๐—ผ๐˜„๐—ป

Place both accounts and their group inside an ๐—ฅ๐— ๐—”๐—จ (requires Entra P1). Manage access via a custom PIM role โ€” max 1-hour activation, approval required, auth context enforced (requires Entra P2).

๐Ÿ› ๏ธ ๐—–๐—ผ๐—ป๐—ณ๐—ถ๐—ด๐˜‚๐—ฟ๐—ฒ ๐—ฎ๐˜‚๐˜๐—ต๐—ฒ๐—ป๐˜๐—ถ๐—ฐ๐—ฎ๐˜๐—ถ๐—ผ๐—ป

Scope a passkey profile to the break-glass group with specific AAGUIDs for your hardware keys (YubiKey, Token2). Enforce via a custom authentication strength in a dedicated CA policy. Exclude the group from all other CA policies โ€” run a What If to verify only your two break-glass policies apply.

๐Ÿ› ๏ธ ๐—ฆ๐—ฒ๐˜ ๐˜‚๐—ฝ ๐—ฎ๐—น๐—ฒ๐—ฟ๐˜๐—ถ๐—ป๐—ด

Stream AuditLogs and SignInLogs to a Log Analytics Workspace (requires Azure subscription). KQL alert rule on the break-glass Object IDs โ€” any event fires immediately.

๐Ÿ›ก๏ธ ๐—ฆ๐˜๐—ผ๐—ฟ๐—ฒ, ๐˜๐—ฒ๐˜€๐˜, ๐—ฑ๐—ผ๐—ฐ๐˜‚๐—บ๐—ฒ๐—ป๐˜

Each passkey + PIN in a separate physical location. Define who can trigger the procedure and under what circumstances. Test end-to-end at minimum every 180 days โ€” Microsoft recommends 90. Pick your cadence, but validate.

๐Ÿ’ฌ When was the last time you tested these accounts?

๐˜ˆ๐˜ถ๐˜๐˜ฉ๐˜ฐ๐˜ณ: Martin Strnad

PS: Full guide is here: https://academy.horizon-secured.com/p/m365-security-guides

buy a course