A Microsoft Entra emergency access account, also known as a “Break Glass Account”, is a special account set up for accessing Azure resources in emergency situations. This account typically has higher permissions and is only used when conventional access routes are not available. This could be, for example, a service outage, so that no multi-factor authentication can be performed via a mobile phone. The use of emergency accounts is strictly controlled, monitored, and restricted.

Securing an emergency access account with a FIDO2 security key like YubiKey, which takes over authentication instead of a password, offers several advantages:

  • A FIDO2 security key is a physical device that cannot be easily copied
  • FIDO2 keys are designed to be resistant to phishing attacks. Even if an attacker knows the login credentials, they cannot access the account without the physical key
  • FIDO2 keys are easy to use. They just need to be plugged into a computer’s USB port and activated at login. No additional software or drivers are required
  • FIDO2 keys are compatible with many platforms and services, including Microsoft Azure. This makes them a versatile solution for securing accounts

In this post, you will learn how you can use Microsoft Entra emergency accounts and YubiKey (FIDO2) to secure access to Azure at all times and minimise risks at the same time.

Prerequisites and Licensing

Licenses

No paid licences are necessary to set up accounts for emergency access. A licence starting with Microsoft Entra ID Free is sufficient. This licence is part of every Microsoft tenant.

Sign-in logs must be sent to a Log Analytics workspace to monitor emergency account sign-ins. This feature requires the Microsoft Entra ID P1 or higher licence.

YubiKey FIDO2 Security Key

A YubiKey security key with FIDO2 support from Yubico.
To find the right YubiKey for you, the Yubico website will help you:
Which YubiKey is right for you | Quiz | Yubico

Order the YubiKey security key directly from Yubico:
Buy YubiKeys at Yubico.com | Shop hardware authentication security keys

Preparations

Create Microsoft Entra Group

The security group in Microsoft Entra ID is created to facilitate the management of emergency accounts (Break Glass Accounts).

Microsoft Entra ID > Groups > New Group

Create a security group for emergency accounts:

  1. Choose Group Typ Security
  2. Enter Group name BreakGlassAccounts
  3. Allow assignment Microsoft Entra roles to the group
  4. Create security group

Assign Microsoft Entra role

The Global Administrator role is added to the emergency accounts using the Microsoft Entra group BreakGlassAccounts.

Microsoft Entra ID > Roles and administrators > Global Administrator

Click on Add assignment

Choose Microsoft Entra group BreakGlassAccounts and click Next

  1. Choose Assignment type Active
  2. Choose Permanently assigned
  3. Enter justification (BreakGlassAccounts)
  4. Click Assign

The Microsoft Entra group BreakGlassAccounts is added to the Microsoft Entra role Global Administrator after a short time.

Create Microsoft Entra Conditional Access

Microsoft Entra Conditional Access ensures that emergency accounts can only sign-in using phishing-resistant multi-factor authentication methods, e.g. YubiKey (FIDO2).

Microsoft Entra ID > Security > Conditional Access > Create new policy

This conditional access is assigned for all emergency accounts in the security group BreakGlassAccounts.

Conditional access is applied to all cloud applications.

In access control, it is important to limit the authentication strength to Phishing-resistant MFA.

In the session control, set the Sign-in frequency (1) to Every time and Persistent browser session (2) to Never persistent.

Enable conditional access with On and Save.

If other conditional accesses are already configured, the security group BreakGlassAccounts must be excluded from any policy.

Create Microsoft Entra ID Emergency Account

Sign-in to the Azure Portal (https://portal.azure.com) and create a new user. Microsoft Entra ID > Users > New user > Create new user.

  1. Enter User Principal Name
    Best Practice: the user name does not allow any reconstruction to be drawn about its use. A generic user name is best suited and can be created with the LastPass user name generator:
    https://www.lastpass.com/features/username-generator
  2. Select Domain
    Best Practice: use the domain onmicrosoft.com for Microsoft Entra ID emergency accounts. This ensures that the Microsoft tenant can still be accessed in the event of failure with custom domains.
  3. Enter Display Name
  4. Save Password
    The password must be changed later upon sign-in for the first time.
  5. Enable account

Enter user account properties according to your own guidelines.

Do not add a user account to any Microsoft Entra group or Microsoft Entra role. Emergency accounts require a phishing-resistant multi-factor authentication method (e.g. YubiKey FIDO2). Multi-factor authentication is set up once the emergency account has been set up.

Check user account details and confirm with Create.

The emergency account is now created.

Register YubiKey (FIDO2)

Sign-in with the emergency account at https://aka.ms/mysecurityinfo.

Multi-factor authentication is mandatory for setting up a YubiKey (FIDO2) security key. The first step is therefore to set up multi-factor authentication via the Microsoft Authenticator App or SMS.

After setting up multi-factor authentication via the Microsoft Authenticator App or SMS, the password must be changed (first login). For this user account, a password length of > 32 characters is recommended.

The next step is to set up the YubiKey (FIDO2) security key.
Security info > Add sign-in method

Detailed instructions about this step can be found here:
Passwordless Sign In with Microsoft Entra ID (Azure AD) and YubiKey (FIDO2) – cloudcoffee.ch

After successful setup, the YubiKey (FIDO2) security key is listed under Security info.

Enable Microsoft Entra Conditional Access for emergency account

Adding the emergency account to the previously created Microsoft Entra group BreakGlassAccounts makes the use of the YubiKey (FIDO2) security key mandatory.
Mandatory use of the security key is forced with the previously created Microsoft Entra Conditional Access policy at sign-in.

Select Microsoft Entra ID > Users > Emergency Account

Select Groups > Add membership and add BreakGlassAccounts

Membership in the Microsoft Entra group BreakGlassAccounts activates Microsoft Entra Conditional Access and requires a phishing-resistant sign-in.

Monitor and notify sign-ins with emergency accounts

An Azure Log Analytics workspace in combination with Azure Monitor monitors the emergency accounts and sends a notification when they are used.

Create Log Analytics workspace and action group

Select all Services > Analytics > Log Analytics workspaces

Select Create

  1. Select Subscription and Resource group
  2. Enter name for the Log Analytics workspace
  3. Choose Azure Region
  4. Continue to check the entries by clicking on Review + Create

After successful verification, create the Log Analytics workspace with Create.

Open Log Analytics workspace after successful creation and select Monitoring > Alerts

Select Alerts rules

Select Create to create a new alert rule.

  1. Select Custom log search at Signal name
  2. Insert Search Query
    Replace UPN with emergency account, e.g. 5PE63CeEpJKmd9e@48238h.onmicrosoft.com
    several accounts can be included in the query with “or”
  1. Configure Alert Logic
    Operator = Greater Than
    Threshold value = 0
    Frequency of evaluation = 5 minutes
  2. Select Next

The action group is used to determine who will be notified when the emergency account is used. The notification will be triggered via email, SMS, push or voice.
Select Create action group

  1. Select Subscription and Resource group
  2. Choose Azure Region
  3. Enter Action group name
  4. Select Notification

Configure notifications according to your own guidelines. Notifications can be sent via email, SMS, push or voice.
The Actions and Tags tabs are optional, select Review + Create to finish.

Check entries again and create action group with Create.

The action group has been successfully created and activated for notification. Continue with Details.

  1. Select Subscription and Resource group
  2. Select Severity (0-Critical)
  3. Enter Alert rule name
  4. Choose Azure Region
  5. Select Review + Create

Verify information and create alert rule with Create.

After a few minutes the alert rule is created.

Send sign-ins to Log Analytics workspace

For monitoring emergency accounts, all sign-ins to Microsoft Entra ID must be sent to the Log Analytics workspace.

Microsoft Entra ID > Diagnostic settings > Add diagnostic setting

  1. Select category SignInLogs
  2. Enable Send to Log Analytics workspace
  3. Select Log Analytics workspace
  4. Click Save

All sign-ins to Microsoft Entra ID are now sent to the Log Analytics workspace.

After sign-in with the emergency account, the notification is triggered. This message can be customized to your own needs: Customize notification

Sign-in with Microsoft Entra ID Emergency Account

No user name or password is required to sign-in to the Azure Portal (https://portal.azure.com). Instead, select Sign-in options.

Sign-in options

Select Sign-in with Windows Hello or a security key

Security Key

Select Security Key

Security Key

Depending on the security key used, the further steps are different. However, the steps are self-explanatory.

Touch your security key

The emergency account has successfully signed-in and has the Microsoft Entra role Global Administrator assigned.

After sign-in with the emergency account, the notification is triggered. This message can be customized to your own needs: Customize notification

Customize notification

The content of the notification for sign-in with an emergency account can be customized to your own needs.

Log Analytics workspace > Alerts > Alert rules > Edit > Customize Actions

With the above settings, the email notification looks like this:

Recurring tasks and best practices

  • It is advisable to set up at least 2 emergency accounts
  • The access and monitoring of each emergency account should be reviewed annually
  • The documentation must show which employees have an emergency account
  • In the event of an employee leaving the company, the emergency account must be blocked or deleted immediately
  • Depending on the Microsoft Tenant configuration, it may make sense to assign the Owner role to the emergency account on subscriptions in addition to the Microsoft Entra Global Administrator role.

Troubleshooting

Method Security Key is missing

When adding the sign-in method, Security Key is not available for selection.

The use of FIDO2 Security Keys must first be activated.
Microsoft Entra ID > Security > Authentication methods > FIDO2 security key


Follow me on LinkedIn to always stay updated on my recent posts.

Follow on LinkedIn