This July, Azure teams will begin rolling out additional tenant-level security measures to require multi-factor authentication (MFA). Establishing this security baseline at the tenant level puts in p...
Updated May 17, 2024
Version 4.0Blog Post
As a sole proprietor working out of my home, I have a unique challenge created by this new requirement. By mandating MFA, even on the emergency/break-glass account, I no longer have a resolution for the house-burned-down scenario where I simultaneously lose access to all of my computers, phones, and YubiKeys. Without other admins as backups, such an event would lock me out of everything with no recourse to regain access to email or admin portals (at least not within several days/weeks).
Currently, my break-glass account is configured with a very long (60+ character), high-entropy password but is excluded from certain MFA policies. To mitigate the risk of not having MFA, there is a Defender for Cloud policy which immediately sends alerts to multiple email accounts on multiple mail platforms when this account is used. This is tested yearly at which time the password is rotated.
All of my other accounts are of course protected by MFA, and in most cases require passwordless phishing-resistant MFA.
I am exploring other options for safe storage of x.509 certificates or YubiKeys away from my home, and I get why Microsoft is forcing most peoples' hands on this. But it doesn't sound like you have fully considered the solo-operator scenario when deciding not to exclude break-glass accounts. For me it's a business risk assessment calculating the risk of admin account compromise versus the risk of losing access to virtually my entire business, where I feel like exceptions should be warranted.
I shouldn't have to prioritize my phone over my family if my house is on fire.