Conditional Access restrictions on break glass accounts
Posted by Fabulous_Cow_4714@reddit | sysadmin | View on Reddit | 58 comments
You generally should exclude break glass accounts from conditional access policies, but you need some to prevent someone discovering the password and then registering a rogue device for MFA.
Shouldn’t you have some restrictions such as strictly requiring phishing resistant MFA for login and having location restrictions for registering new authentication methods?
packetssniffer@reddit
Ya'll have break glass accounts?
The CEO/owner is the only global admin at the circus i work at
His computer and laptop are also not managed by intune like everyone else in the company.
Yet he's always paranoid someone will leak important files.
apple_tech_admin@reddit
That sounds extremely suspicious..
LRS_David@reddit
Could but. But many people don't know how to trust others but consider themselves totally safe. In their own minds.
garbageadmin@reddit
Here ya go: https://www.chanceofsecurity.com/post/break-glass-accounts-done-right-securing-emergency-access-in-microsoft-entra
Tr1pline@reddit
passkey is phishing resistant. I think disable legacy login options will make all modern MFA options phishing resistant. You can setup 2 person integrity. Someone knows the password, someone else has the device so MfA is shared and requires 2 person to login.
Asleep_Spray274@reddit
Passwords should be 128 chars long
registered with fido keys, those fido keys in 2 different places and kept separate from the pin numbers for the keys. Procedures on paper on how and when to use them
excluded from all break CA policies
monitoring in place to alert on both failed and successful logon with procedures in place to react to either. Failed are informational only, success there is a reaction if there was no pre warning for the account to be logged onto with escalation paths and reset procedures in place.
tests done at least every 6 months.
hasthisusernamegone@reddit
That's not a password, that's a passessay.
At that point you're not relying on people typing it, they'll paste it into notepad for convenience.
Asleep_Spray274@reddit
No, they won't use it as they should be using the fido key. These are break glass accounts. Emergency accounts. Not daily access accounts. Only to be used when shit hits the fan and you are locked out of the tenant. The password should not be known to anyone
StarSlayerX@reddit
For our break glass account MFA is enrolled. The MFA device is in the server room locked a fire proof safe that only our director has the key to.
WantDebianThanks@reddit
Putting it in a bank safe deposit box is another route
DrDuckling951@reddit
Imagine you need the break glass but have to wait until Monday to access it.
tejanaqkilica@reddit
The only reason to wait until Monday, would be because the bank is closed over the weekend. Which is also fine, because I don't work on weekends anyway. So, Monday is perfectly fine.
damik@reddit
Monday is a holiday though.
Aegisnir@reddit
Oh fuck that. My dad trusted his bank with his safety deposit box and they emptied it and sold the contents at auction without notice because they made a clerical error. Going through the legal process is a pain but don’t rely on someone else. This was a massive national bank, not a local nobody.
_araqiel@reddit
Most bank deposit boxes I know of require two keys - one of which the bank doesn’t have. They’d have to go through a lot of annoyance to do that for such a box.
Aegisnir@reddit
yeah they drilled the locks out, emptied the contents, sent it to their HQ, and then they destroyed what they couldn't sell and auctioned the rest. we had gold and expensive artworks in there. auctioned for far less than it was worth. point is, don't trust critical stuff like that with someone who doesn't give a fuck about it. if you are going to store an MFA key in a safety deposit box, keep another working MFA key somewhere else that you are responsible for just in case. 3,2,1 backups but for account access :)
iama_bad_person@reddit
We have three Yubikeys. One at work in the finance safe, one at my house in my gun safe, and another at my bosses house in his gun safe.
rybl@reddit
Is there a risk that a goofy Conditional Access policy could still lock that out? Like could someone create a policy that requires SMS or something similar that could lock out the break glass account?
iama_bad_person@reddit
Someone could create a policy to lock everyone out, every single account, there is no way around this if someone dumb enough to do that does it.
Ok-Double-7982@reddit
Well then...lol
j5kDM3akVnhv@reddit
Are they all synced to each other to show the same info across the board? How does that work?
Manitcor@reddit
all keys are added.
though you could do a 2 of 3 thing with a cryptographic lock on the TOTP or other factor. Would likely want to airgap doing that or use an HSM.
maxxpc@reddit
Can you not have multiple Authenticators associated with a single account?
whetu@reddit
As tiresome as "this is the way" posts can be, this may be one of the very few, if not the very first time I will say it.
This is the way.
absurdamerica@reddit
You put your break glass accounts in a literal safe? You don’t know what break glass means do you?
Helpjuice@reddit
There should be more than one person that has access, what if they are unavailable and you need to break glass?
drunkcowofdeath@reddit
One person is not enough.
heisenbergerwcheese@reddit
So if anyone did use it, you know who
burundilapp@reddit
We use a FIDO key for the break glass accounts, it apparently uses a separate auth mechanism to MFA and so should still operate even if the MFA system is down.
jeeaves@reddit
Eh, MFA FIDO2 key locked in a safe, aint that the baseline nowadays?
Fabulous_Cow_4714@reddit (OP)
There is a password regardless. You can’t turn off the password even after enabling FIDO2 unless you add a conditional access authentication strength policy preventing password use and preventing SMS MFA etc..
man__i__love__frogs@reddit
Set the password to 128 characters and never write it down.
omn1p073n7@reddit
Or, hear me out, write it down but store it in an air gapped clean room with laser beam trip alarms.
zantehood@reddit
My breakglass accounts can only logon from certain locations.
Fabulous_Cow_4714@reddit (OP)
Then what happens in a disaster and you need to login from a new location because your known WAN IPs are down?
zantehood@reddit
We have a MPLS network. The allowed locations are basicly our DC and DR network. Youd have to go onsite if shit breaks yes
mkosmo@reddit
It's not very glass-break if the MPLS is still glass. Especially if there are any dependencies that would impact your network config (e.g., network automation, tacacs, etc.).
zantehood@reddit
Well if the MPLS breaks down we're dead anyway
man__i__love__frogs@reddit
Being able to login to your email, teams, etc... When it is broken is still beneficial.
Besides that doesn't follow any official best practice recommendation for break glass accounts.
matt5on@reddit
That means you have configured a CA policy for it. What happens when microsoft gets and outage and CA policy might be corrupt. That's why you wanna exclude it, not only for missconfiguration.
zantehood@reddit
Nope. They are on-prem and dont rely on microslop
teriaavibes@reddit
Not possible, break the glass accounts are required to have an MFA.
Of course, break the glass without MFA is useless.
Nope, zero login restrictions for break the glass accounts.
jackalsclaw@reddit
>Nope, zero login restrictions for break the glass accounts.
What about blocking login based IP geolocation?
patmorgan235@reddit
And if Microsofts geolocation breaks(which has happened before) and you can't log in?
40513786934@reddit
this, and all kinds of alarms that go off if the breakglass account is actually used
Motor-Marzipan6969@reddit
Our break glass accounts are excluded from every CA policy except the one that requires passkey authentication. I believe this is the current recommendation from MS.
Fabulous_Cow_4714@reddit (OP)
I could not find anything from Microsoft saying to enable a conditional access policy to require passkeys on break glass accounts.
They recommended using passkeys, but I didn’t see where they say enforce it with a conditional access policy.
TheCookieMonsterYum@reddit
You can add a trusted IP address for the break glass account so it doesn't require MfA.
JohnRoads88@reddit
This could be a fatal flaw. You could end up without your access to your trusted IP. If your ISP is down, you can't do anything.
TheCookieMonsterYum@reddit
You can have multiple trusted IP addresses. If you have back up line. If you need break glass account and your ISP is down. I'd just give up lol that would be pretty crap.
But MfA would still work. As long as you stored the passkey on a device which is accessible.
valar12@reddit
Don’t do this.
Elensea@reddit
I required phish resistant method in the ca policy. I didn’t like the idea of not having any ca policy applied to the breakglass account.
Master-IT-All@reddit
Your logical position is not correct for start. Your conclusion that all accounts need MFA is the start.
Microsoft recommends 2 break glass accounts with separate phishing resistant MFA (FIDO2) that are excluded from all conditional access policies except for the one policy which is scoped only to those accounts.
I recently started a post in the MSP reddit asking about how other MSP handle this. Some good information in there. https://www.reddit.com/r/msp/comments/1stxoxh/m365_break_glass_what_did_you_do_with_fido2_one/
valar12@reddit
We give access only to legal counsel with strict authorization requirements.
TheCyberThor@reddit
Yes - the idea is to remove as many dependencies to Microsoft as possible.
Current best practice is a physical key like Yubikey to remove dependency on Microsoft Authenticator. You can safely exclude from conditional access as MS mandates MFA on admin portals.
For registering new auth methods, you should apply what you have for other users. If there is nothing, trusted locations and devices are fair. You wouldn’t be registering MFA in a break glass situation.
Another thing to do is to set up alerts when the account is logged into for immediate investigation.
Toreando47@reddit
We have the creds saved in a separate password manager than our usual one and the backup keys kept in yet another password manager that only the CEO and CTO know about.
what_dat_ninja@reddit
Get a safe, put credentials and MFA in safe.
Few-Pressure9581@reddit
The idea of break glass is for when Microsoft conditional Access goes down