Don’t get locked out. Creating an emergency break glass account for Office 365.

Don’t get locked out of your Office 365 tenant! 

Even if you have multiple Office 365 admin accounts, there are plenty of worst case scenarios and edge cases that can cause you to temporarily, or even permanently lose access to your Office 365 tenant. 

Perhaps your Global Administrator unexpectedly walks out, or maybe a network outage means your Office 365 admins cannot perform the Multi-Factor Authentication (MFA) required to access their accounts. 

What are the consequences of your business losing access to essential software and services? You might get “lucky” and only experience a drop in productivity - or you might miss important client deadlines, lose revenue or experience an outage that’s noticed by every single one of your customers. 

In this article, I’ll show you how to prepare for the worst case scenario, by creating a “break glass” account. By following the steps in this tutorial, you’ll be able to access your tenant and restore normal operations, even when your regular admin accounts are completely unavailable. 

What is an emergency access account? 

An emergency access, or “break glass” account is a highly privileged account that you use when it’s impossible to access your standard Office 365 accounts. For example, if your admin accounts are federated and federation is unavailable due to a cell-network break, then an emergency access account can help you regain access to your Office 365 tenant. 

Since we’re preparing for edge cases and emergencies, at least one break glass account must be accessible at all times. To ensure this level of access, we recommend creating two or more cloud-only emergency access accounts that are not federated or synchronized from an on-premise environment. 

You also shouldn’t associate your break glass account(s) with any specific employee or device, including hardware tokens. If you tie an emergency account to a particular person or device, then you’re creating a single point of failure that can prove disastrous in a real-world emergency. 

Azure Active Directory: Creating a new user account

To ensure your break glass account isn’t associated with any specific employee credentials, we’ll start by creating a brand new user account. 

To create a new account, your Office 365 admin needs to: 

● Sign into the Azure portal

● Select “Azure Active Directory.” 

● In the left-hand menu, select “Users.” 

● Select “New User.” 

● Make sure “Create user” is selected. 

● In “Identity,” enter a random username. 

● You can now complete the remaining fields, as normal. 

When you’re happy with the information you’ve entered, click “Create.” 

Go global: Assigning admin privileges 

A break glass account must have the Global Administrator role assignment, so let’s assign global admin rights to the user account we just created: 

● In Azure Active Directory, select “Users” followed by the name of your break glass account. 

● In the left-hand menu, select “Assigned roles.” 

Don’t get caught out by Conditional Access 

While Conditional Access policies can help protect your confidential company data against malicious third parties, they can also block access to your break glass accounts. 

If you use Conditional Access policies, then you should exclude at least one break glass account from all of these policies. 

To exclude your break glass account from Conditional Access: 

● Sign into the Azure AD Conditional Access console

● Select the first Conditional Access policy from the list. 

● In the “Assignments” section, select “Users and Groups.” 

● Open the “Exclude” tab, and then select at least one of your break glass accounts.

● When you’re happy with your selection, click “Save.” 

Rinse and repeat for all your Conditional Access policies.

Protect your business against 74% of data breaches 

A recent survey found that almost three quarters of data breaches involved access to a privileged account, making your break glass accounts a prime target for hackers. 

Since your break glass accounts have global admin privileges, it’s essential that you take additional steps to keep these accounts secure. 

Let’s ensure your Office 365 admins are notified every time someone signs into your break glass accounts. In this section, we’ll create a notification system that alerts your admins to any instances of unauthorized access, so they can respond to attacks against your break glass accounts immediately. 

Azure AD: Setup a new workspace 

To implement a notification system, we first need to create an analytics workspace where Office will record all the activity on your break glass account(s). 

To create a workspace, your Office 365 admin needs to: 

● Sign into the Azure portal

● Select “More services > Log Analytics workspaces > Add.” 

● Under “Instance details,” give your workspace a descriptive name. 

● Open the “Subscription” dropdown and choose the subscription that you want to associate with this workspace. 

● In “Resource Group,” either select the existing group that you want to use, or click “Create new” to generate a new resource group. 

● Open the “Location” dropdown and choose the location that you want to use. 

● When you’re happy with the information you’ve entered, click “Review + Create.” 

● Review the information you’ve just entered, and if you’re happy to proceed then click “Create.” 

Azure will now create this workspace, and after a few moments you should see the following message: “Your deployment is complete.”

Recording sign-ins with Azure Monitor 

Now, we’re ready to start recording data to our workspace: 

● Sign into the Azure portal

● Select “Azure Active Directory.” 

● In the left-hand menu, select “Diagnostic settings.” 

● Select “Add diagnostic setting.” 

● In “Diagnostic setting name,” give this setting a descriptive name. 

● Under “Destination details,” select “Send to Log Analytics.”

● Open the “Log Analytics workspace” dropdown and select the workspace that you just created. 

● Since we want to record all sign-in events, select the “SignInLogs” checkbox. 

● Click “Save.” 

After around 15 minutes, sign-in events should start appearing in your workspace. You can view this data, by logging into Azure Active Directory: 

● Sign into the Azure portal

● Select “Azure Active Directory.” 

● In the left-hand menu, select “Logs.” This will launch the Log Analytics workspace. 

Now we have our data, we’re ready to setup our sign-in alerts. 

Identifying your break glass account: Retrieving the Object ID

To setup sign-in alerts for your break glass accounts, you’ll need each account’s Object ID: 

● Sign into the Azure portal

● Select “Azure Active Directory.” 

● In the left-hand menu, select “Users.” 

● Select your break glass account. 

● In the “Identity” section, find the “Object ID.” Make a note of this value. 

If you have multiple break glass accounts, then repeat the above steps to acquire the Object ID for each account. 

Sending alerts to your Office 365 admins 

We can now use these Object IDs, to create our alert rules: 

● In the Azure search bar, start typing “Log analytics workspace” and then select “Log analytics workspace” when it appears. 

● Select the workspace that you created in the previous step. 

● In the left-hand menu, select “Alerts.” 

● Select “New alert rule.” 

● Under “Condition,” click “Select condition.” 

● Choose “Custom log search.” 

● In the “Search query” section, enter the following - make sure to replace “object-id” with the ID you retrieved in the previous step: 

SigninLogs | where UserId == "user-id" 

Note that if you have multiple break glass accounts, then you can add the Object IDs for all these accounts, using the following format: 

SigninLogs | where UserId == "user-id" or UserId == "user-id" 

● Open the “Based on” dropdown and select “Number of results.” 

● Open the “Operator” dropdown and select “Greater than.” 

● In the “Threshold value” field, type “0.” 

● Under “Evaluate based on,” specify how long this query should run, in minutes. 

● In “Frequency,” specify how often this query should run. 

● Select “Done,” and Azure will display an estimated monthly cost for this alert. Review this information, and decide whether you’re happy to proceed. 

● Now, select the users who’ll receive this alert. You can either click “Select an action group” and then choose from the available groups, or you can create a new action group. For the purposes of this tutorial, I’ll be selecting all of my Office 365 admins. 

● Under “Customize Actions,” select “Email subject.” 

● In “Subject line,” create the email that’ll be sent to all of your Office 365 admins. 

● Under “Alert Detail rules,” give this rule a descriptive name. 

● Open the “Severity” dropdown and assign this rule a severity level. Since break glass accounts are privileged accounts, I recommend using “Sev 0,” as this is the highest severity level. 

● Select “Enable rule upon creation.” 

● If you’re happy with the information you’ve entered, then click “Create alert rule.” 

And that’s it! All of your Office 365 admins will now receive an email, every time someone signs into your break glass account(s).

Share this article on social media

If you found this article useful, please share it on social media. 

Subscribe to our blog...

We will only use your email to send you new blog posts.