Protecting Breakglass account with 3rd party MFA?

%3CLINGO-SUB%20id%3D%22lingo-sub-1515064%22%20slang%3D%22en-US%22%3ERe%3A%20Protecting%20Breakglass%20account%20with%203rd%20party%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1515064%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F395196%22%20target%3D%22_blank%22%3E%40Chuck99%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProtecting%20the%20break%20glass%20account%20with%20additional%20authentication%20security%20is%20something%20that%20causes%20great%20debate%20among%20my%20fellow%20consultants.%26nbsp%3B%20One%20possible%20solution%20could%20be%20to%20use%20an%20OAuth%20token%20such%20as%20a%20Yubikey%20device.%26nbsp%3B%20You%20could%20have%20a%20couple%20of%20break%20glass%20accounts%2C%20and%20get%20a%20couple%20of%20these%20tokens%2C%20give%20them%20to%20different%20people%20and%20get%20them%20to%20lock%20them%20away%20in%20a%20fire%20proof%20safe%20if%20they%20have%20access%20to%20one.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20slightly%20annoying%20that%20Microsoft%20do%20suggest%20that%20you%20protect%20your%20break%20glass%20accounts%20with%20an%20alternative%20authentication%2C%20but%20do%20not%20provide%20best%20practice%20recommendations%20on%20how%20to%20do%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1512995%22%20slang%3D%22en-US%22%3EProtecting%20Breakglass%20account%20with%203rd%20party%20MFA%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1512995%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20recommended%20by%20Microsoft%2C%20we%20have%20configured%20our%20tenant%20to%20enforce%20a%20Conditional%20Access%20policy%20for%20all%20our%20Global%20admin%20accounts%20BUT%20for%20an%20account%20that%20we%20will%20use%20only%20in%20case%20of%20a%20situation%20where%20other%20global%20admin%20accounts%20would%20not%20be%20able%20to%20sign-in.%20As%20recommended%2C%20this%20%22breakglass%22%20account%20is%20a%20cloud%20account%2C%20its%20UPN%20is%20using%20the%20onmicrosoft.com%20domain%20and%20it%20is%20excluded%20from%20all%20Conditional%20access%20policies%2C%20especially%20the%20one%20that%20enforces%20MFA%20for%20global%20admins.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20find%20some%20ways%20to%20protect%20this%20brreakglass%20account%20and%20for%20now%2C%20all%20I've%20done%20is%20configuring%20Azure%20AD%20logs%20export%20to%20Azure%20Log%20Analytics%20and%20use%20Log%20Analytics%20to%20query%20the%20Azure%20AD%20sign-in%20logs%20every%205%20minutes%20to%20see%20if%20the%20breakglass%20account%20signed-in.%20If%20this%20happens%2C%20an%20alert%20is%20send%20by%20email%20and%20SMS%20to%20the%20IT%20admins%20so%20that%20they%20can%20react%20quickly%20if%20the%20account%20has%20been%20compromised.%20Of%20course%2C%20We've%20configured%20a%20complex%20password%20as%20well%20that%20is%20known%20by%20almost%20no%20one.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20would%20like%20to%20do%20now%20is%20to%20configure%20another%20MFA%20solution%20for%20this%20account.%20By%20that%20I%20mean%20that%20evert%20standard%20user%20would%20use%20the%20Azure%20MFA%20based%20on%20the%20Conditional%20Access%20but%20I%20would%20integrate%20as%20well%20a%203rd%20party%20MFA%20solution%20to%20be%20used%20specifically%20by%20the%20breakglass%20account.%20I%20don't%20know%20if%20this%20is%20possible.%20If%20not%2C%20what%20else%20should%20I%20do%20to%20better%20secure%20this%20sensitive%20account%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20idea%20is%20welcomed!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1512995%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Contributor

Hi,

 

As recommended by Microsoft, we have configured our tenant to enforce a Conditional Access policy for all our Global admin accounts BUT for an account that we will use only in case of a situation where other global admin accounts would not be able to sign-in. As recommended, this "breakglass" account is a cloud account, its UPN is using the onmicrosoft.com domain and it is excluded from all Conditional access policies, especially the one that enforces MFA for global admins.

 

I'm trying to find some ways to protect this brreakglass account and for now, all I've done is configuring Azure AD logs export to Azure Log Analytics and use Log Analytics to query the Azure AD sign-in logs every 5 minutes to see if the breakglass account signed-in. If this happens, an alert is send by email and SMS to the IT admins so that they can react quickly if the account has been compromised. Of course, We've configured a complex password as well that is known by almost no one.

 

What I would like to do now is to configure another MFA solution for this account. By that I mean that evert standard user would use the Azure MFA based on the Conditional Access but I would integrate as well a 3rd party MFA solution to be used specifically by the breakglass account. I don't know if this is possible. If not, what else should I do to better secure this sensitive account?

 

Any idea is welcomed!

 

Thanks 

1 Reply
Highlighted

@Chuck99 

 

Protecting the break glass account with additional authentication security is something that causes great debate among my fellow consultants.  One possible solution could be to use an OAuth token such as a Yubikey device.  You could have a couple of break glass accounts, and get a couple of these tokens, give them to different people and get them to lock them away in a fire proof safe if they have access to one.

 

It is slightly annoying that Microsoft do suggest that you protect your break glass accounts with an alternative authentication, but do not provide best practice recommendations on how to do this.