When implementing broader security controls in Azure Active Directory, it is a best practice to create an “emergency access” or “break the glass” account that is not subjected to those controls. The purpose of this account is to use for remediating issues with those controls. If Azure MFA is broken, for instance, a privileged account not subjected to an MFA requirement would be needed to turn off the MFA requirement temporarily. The account should have a strong password and only ever used for two purposes:
- Verify that access still works and update the password
- Remediate emergency incidents
In order to know that the account has not been used inappropriately, usage should raise an alert. Without getting into Azure specific logging and alerting (as usage may be limited to Microsoft 365 or activities), this can be accomplished through the Security & Compliance Center, or just the Security Center, depending on the update level for the tenant.
Prepare to get lost, repeatedly, without these steps.
Navigate to: https://protection.office.com/managealerts
If you want to reach this through the portal, click:
- Alert Policies
- Then click the “Activity alerts” link in the introduction paragraph text.
After reaching the “Activity alerts”, click “New alert policy”.
Provide a “Name” and leave “Alert type” as “Custom”.
Under “Send this alert when”, select “Activities” and type “User logged in”. In the “Users” field, select the specific user account(s) you would like to be notified.
Under “Send this alert to” add the desired email recipients.
Now, email notifications will be sent whenever those accounts are authenticated.
Microsoft recommends a model for two accounts, one not subjected to MFA but subjected to all other Conditional Access requirements for privileged accounts, the other not subjected to any Conditional Access policies but subjected to MFA. While this might meet some organizational requirements, there are now two accounts to monitor and maintain. Also, this practice would not account for a situation where both MFA and Conditional Access are having issues simultaneously.
Now we can sign in with the Emergency Access account:
This should result in an email alert to the admin account:
There we have it. The notification recipient could be a distribution list including Global Administrators, information security, etc.
NOTE: It did take several hours for the Alert Policy to begin working. I have seen this take much less time, but the current environment might be part of the delay.