A Microsoft Entra emergency access account, also known as a “Break Glass Account”, is a special account set up for accessing Azure resources in emergency situations. This account typically has higher permissions and is only used when conventional access routes are not available. This could be, for example, a service outage, so that no multi-factor authentication can be performed via a mobile phone. The use of emergency accounts is strictly controlled, monitored, and restricted.
Securing an emergency access account with a FIDO2 security key like YubiKey, which takes over authentication instead of a password, offers several advantages:
- A FIDO2 security key is a physical device that cannot be easily copied
- FIDO2 keys are designed to be resistant to phishing attacks. Even if an attacker knows the login credentials, they cannot access the account without the physical key
- FIDO2 keys are easy to use. They just need to be plugged into a computer’s USB port and activated at login. No additional software or drivers are required
- FIDO2 keys are compatible with many platforms and services, including Microsoft Azure. This makes them a versatile solution for securing accounts
In this post, you will learn how you can use Microsoft Entra emergency accounts and YubiKey (FIDO2) to secure access to Azure at all times and minimise risks at the same time.
Prerequisites and Licensing
Licenses
No paid licences are necessary to set up accounts for emergency access. A licence starting with Microsoft Entra ID Free is sufficient. This licence is part of every Microsoft tenant.
Sign-in logs must be sent to a Log Analytics workspace to monitor emergency account sign-ins. This feature requires the Microsoft Entra ID P1 or higher licence.
YubiKey FIDO2 Security Key
A YubiKey security key with FIDO2 support from Yubico.
To find the right YubiKey for you, the Yubico website will help you:
Which YubiKey is right for you | Quiz | Yubico
Order the YubiKey security key directly from Yubico:
Buy YubiKeys at Yubico.com | Shop hardware authentication security keys
Preparations
Create Microsoft Entra Group
The security group in Microsoft Entra ID is created to facilitate the management of emergency accounts (Break Glass Accounts).
Microsoft Entra ID > Groups > New Group
Create a security group for emergency accounts:
- Choose Group Typ Security
- Enter Group name BreakGlassAccounts
- Allow assignment Microsoft Entra roles to the group
- Create security group
Assign Microsoft Entra role
The Global Administrator role is added to the emergency accounts using the Microsoft Entra group BreakGlassAccounts.
Microsoft Entra ID > Roles and administrators > Global Administrator
Click on Add assignment
Choose Microsoft Entra group BreakGlassAccounts and click Next
- Choose Assignment type Active
- Choose Permanently assigned
- Enter justification (BreakGlassAccounts)
- Click Assign
The Microsoft Entra group BreakGlassAccounts is added to the Microsoft Entra role Global Administrator after a short time.
Create Microsoft Entra Conditional Access
Microsoft Entra Conditional Access ensures that emergency accounts can only sign-in using phishing-resistant multi-factor authentication methods, e.g. YubiKey (FIDO2).
Microsoft Entra ID > Security > Conditional Access > Create new policy
This conditional access is assigned for all emergency accounts in the security group BreakGlassAccounts.
Conditional access is applied to all cloud applications.
In access control, it is important to limit the authentication strength to Phishing-resistant MFA.
In the session control, set the Sign-in frequency (1) to Every time and Persistent browser session (2) to Never persistent.
Enable conditional access with On and Save.
If other conditional accesses are already configured, the security group BreakGlassAccounts must be excluded from any policy.
Create Microsoft Entra ID Emergency Account
Sign-in to the Azure Portal (https://portal.azure.com) and create a new user. Microsoft Entra ID > Users > New user > Create new user.
- Enter User Principal Name
Best Practice: the user name does not allow any reconstruction to be drawn about its use. A generic user name is best suited and can be created with the LastPass user name generator:
https://www.lastpass.com/features/username-generator - Select Domain
Best Practice: use the domain onmicrosoft.com for Microsoft Entra ID emergency accounts. This ensures that the Microsoft tenant can still be accessed in the event of failure with custom domains. - Enter Display Name
- Save Password
The password must be changed later upon sign-in for the first time. - Enable account
Enter user account properties according to your own guidelines.
Do not add a user account to any Microsoft Entra group or Microsoft Entra role. Emergency accounts require a phishing-resistant multi-factor authentication method (e.g. YubiKey FIDO2). Multi-factor authentication is set up once the emergency account has been set up.
Check user account details and confirm with Create.
The emergency account is now created.
Register YubiKey (FIDO2)
Sign-in with the emergency account at https://aka.ms/mysecurityinfo.
Multi-factor authentication is mandatory for setting up a YubiKey (FIDO2) security key. The first step is therefore to set up multi-factor authentication via the Microsoft Authenticator App or SMS.
After setting up multi-factor authentication via the Microsoft Authenticator App or SMS, the password must be changed (first login). For this user account, a password length of > 32 characters is recommended.
The next step is to set up the YubiKey (FIDO2) security key.
Security info > Add sign-in method
Detailed instructions about this step can be found here:
Passwordless Sign In with Microsoft Entra ID (Azure AD) and YubiKey (FIDO2) – cloudcoffee.ch
After successful setup, the YubiKey (FIDO2) security key is listed under Security info.
Enable Microsoft Entra Conditional Access for emergency account
Adding the emergency account to the previously created Microsoft Entra group BreakGlassAccounts makes the use of the YubiKey (FIDO2) security key mandatory.
Mandatory use of the security key is forced with the previously created Microsoft Entra Conditional Access policy at sign-in.
It is no longer possible to sign-in using a password or a non-phishing-resistant multi-factor authentication method, such as the previously set up SMS.
Select Microsoft Entra ID > Users > Emergency Account
Select Groups > Add membership and add BreakGlassAccounts
Membership in the Microsoft Entra group BreakGlassAccounts activates Microsoft Entra Conditional Access and requires a phishing-resistant sign-in.
Monitor and notify sign-ins with emergency accounts
An Azure Log Analytics workspace in combination with Azure Monitor monitors the emergency accounts and sends a notification when they are used.
Create Log Analytics workspace and action group
Select all Services > Analytics > Log Analytics workspaces
Select Create
- Select Subscription and Resource group
- Enter name for the Log Analytics workspace
- Choose Azure Region
- Continue to check the entries by clicking on Review + Create
After successful verification, create the Log Analytics workspace with Create.
Open Log Analytics workspace after successful creation and select Monitoring > Alerts
Select Alerts rules
Select Create to create a new alert rule.
- Select Custom log search at Signal name
- Insert Search Query
Replace UPN with emergency account, e.g. 5PE63CeEpJKmd9e@48238h.onmicrosoft.com
several accounts can be included in the query with “or”
1 2 | SigninLogs |where UserPrincipalName contains "UPN" |
- Configure Alert Logic
Operator = Greater Than
Threshold value = 0
Frequency of evaluation = 5 minutes - Select Next
The action group is used to determine who will be notified when the emergency account is used. The notification will be triggered via email, SMS, push or voice.
Select Create action group
- Select Subscription and Resource group
- Choose Azure Region
- Enter Action group name
- Select Notification
Configure notifications according to your own guidelines. Notifications can be sent via email, SMS, push or voice.
The Actions and Tags tabs are optional, select Review + Create to finish.
Check entries again and create action group with Create.
The action group has been successfully created and activated for notification. Continue with Details.
- Select Subscription and Resource group
- Select Severity (0-Critical)
- Enter Alert rule name
- Choose Azure Region
- Select Review + Create
Verify information and create alert rule with Create.
After a few minutes the alert rule is created.
Send sign-ins to Log Analytics workspace
For monitoring emergency accounts, all sign-ins to Microsoft Entra ID must be sent to the Log Analytics workspace.
Microsoft Entra ID > Diagnostic settings > Add diagnostic setting
- Select category SignInLogs
- Enable Send to Log Analytics workspace
- Select Log Analytics workspace
- Click Save
All sign-ins to Microsoft Entra ID are now sent to the Log Analytics workspace.
After sign-in with the emergency account, the notification is triggered. This message can be customized to your own needs: Customize notification
Sign-in with Microsoft Entra ID Emergency Account
No user name or password is required to sign-in to the Azure Portal (https://portal.azure.com). Instead, select Sign-in options.
Select Sign-in with Windows Hello or a security key
Select Security Key
Depending on the security key used, the further steps are different. However, the steps are self-explanatory.
The emergency account has successfully signed-in and has the Microsoft Entra role Global Administrator assigned.
After sign-in with the emergency account, the notification is triggered. This message can be customized to your own needs: Customize notification
Customize notification
The content of the notification for sign-in with an emergency account can be customized to your own needs.
Log Analytics workspace > Alerts > Alert rules > Edit > Customize Actions
With the above settings, the email notification looks like this:
Recurring tasks and best practices
- It is advisable to set up at least 2 emergency accounts
- The access and monitoring of each emergency account should be reviewed annually
- The documentation must show which employees have an emergency account
- In the event of an employee leaving the company, the emergency account must be blocked or deleted immediately
- Depending on the Microsoft Tenant configuration, it may make sense to assign the Owner role to the emergency account on subscriptions in addition to the Microsoft Entra Global Administrator role.
Troubleshooting
Method Security Key is missing
When adding the sign-in method, Security Key is not available for selection.
The use of FIDO2 Security Keys must first be activated.
Microsoft Entra ID > Security > Authentication methods > FIDO2 security key
Follow me on LinkedIn to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!