IT Solutions for Corporate & Government Organisations
Don’t get locked out of your Office 365 tenant!
Even if you have multiple Office 365 admin accounts, there are plenty of worst case scenarios and edge cases that can cause you to temporarily, or even permanently lose access to your Office 365 tenant.
Perhaps your Global Administrator unexpectedly walks out, or maybe a network outage means your Office 365 admins cannot perform the Multi-Factor Authentication (MFA) required to access their accounts.
What are the consequences of your business losing access to essential software and services? You might get “lucky” and only experience a drop in productivity - or you might miss important client deadlines, lose revenue or experience an outage that’s noticed by every single one of your customers.
In this article, I’ll show you how to prepare for the worst case scenario, by creating a “break glass” account. By following the steps in this tutorial, you’ll be able to access your tenant and restore normal operations, even when your regular admin accounts are completely unavailable.
An emergency access, or “break glass” account is a highly privileged account that you use when it’s impossible to access your standard Office 365 accounts. For example, if your admin accounts are federated and federation is unavailable due to a cell-network break, then an emergency access account can help you regain access to your Office 365 tenant.
Since we’re preparing for edge cases and emergencies, at least one break glass account must be accessible at all times. To ensure this level of access, we recommend creating two or more cloud-only emergency access accounts that are not federated or synchronized from an on-premise environment.
You also shouldn’t associate your break glass account(s) with any specific employee or device, including hardware tokens. If you tie an emergency account to a particular person or device, then you’re creating a single point of failure that can prove disastrous in a real-world emergency.
To ensure your break glass account isn’t associated with any specific employee credentials, we’ll start by creating a brand new user account.
To create a new account, your Office 365 admin needs to:
● Sign into the Azure portal.
● Select “Azure Active Directory.”
● In the left-hand menu, select “Users.”
● Select “New User.”
● Make sure “Create user” is selected.
● In “Identity,” enter a random username.
● You can now complete the remaining fields, as normal.
When you’re happy with the information you’ve entered, click “Create.”
A break glass account must have the Global Administrator role assignment, so let’s assign global admin rights to the user account we just created:
● In Azure Active Directory, select “Users” followed by the name of your break glass account.
● In the left-hand menu, select “Assigned roles.”
While Conditional Access policies can help protect your confidential company data against malicious third parties, they can also block access to your break glass accounts.
If you use Conditional Access policies, then you should exclude at least one break glass account from all of these policies.
To exclude your break glass account from Conditional Access:
● Sign into the Azure AD Conditional Access console.
● Select the first Conditional Access policy from the list.
● In the “Assignments” section, select “Users and Groups.”
● Open the “Exclude” tab, and then select at least one of your break glass accounts.
● When you’re happy with your selection, click “Save.”
Rinse and repeat for all your Conditional Access policies.
A recent survey found that almost three quarters of data breaches involved access to a privileged account, making your break glass accounts a prime target for hackers.
Since your break glass accounts have global admin privileges, it’s essential that you take additional steps to keep these accounts secure.
Let’s ensure your Office 365 admins are notified every time someone signs into your break glass accounts. In this section, we’ll create a notification system that alerts your admins to any instances of unauthorized access, so they can respond to attacks against your break glass accounts immediately.
To implement a notification system, we first need to create an analytics workspace where Office will record all the activity on your break glass account(s).
To create a workspace, your Office 365 admin needs to:
● Sign into the Azure portal.
● Select “More services > Log Analytics workspaces > Add.”
● Under “Instance details,” give your workspace a descriptive name.
● Open the “Subscription” dropdown and choose the subscription that you want to associate with this workspace.
● In “Resource Group,” either select the existing group that you want to use, or click “Create new” to generate a new resource group.
● Open the “Location” dropdown and choose the location that you want to use.
● When you’re happy with the information you’ve entered, click “Review + Create.”
● Review the information you’ve just entered, and if you’re happy to proceed then click “Create.”
Azure will now create this workspace, and after a few moments you should see the following message: “Your deployment is complete.”
Now, we’re ready to start recording data to our workspace:
● Sign into the Azure portal.
● Select “Azure Active Directory.”
● In the left-hand menu, select “Diagnostic settings.”
● Select “Add diagnostic setting.”
● In “Diagnostic setting name,” give this setting a descriptive name.
● Under “Destination details,” select “Send to Log Analytics.”
● Open the “Log Analytics workspace” dropdown and select the workspace that you just created.
● Since we want to record all sign-in events, select the “SignInLogs” checkbox.
● Click “Save.”
After around 15 minutes, sign-in events should start appearing in your workspace. You can view this data, by logging into Azure Active Directory:
● Sign into the Azure portal.
● Select “Azure Active Directory.”
● In the left-hand menu, select “Logs.” This will launch the Log Analytics workspace.
Now we have our data, we’re ready to setup our sign-in alerts.
To setup sign-in alerts for your break glass accounts, you’ll need each account’s Object ID:
● Sign into the Azure portal.
● Select “Azure Active Directory.”
● In the left-hand menu, select “Users.”
● Select your break glass account.
● In the “Identity” section, find the “Object ID.” Make a note of this value.
If you have multiple break glass accounts, then repeat the above steps to acquire the Object ID for each account.
We can now use these Object IDs, to create our alert rules:
● In the Azure search bar, start typing “Log analytics workspace” and then select “Log analytics workspace” when it appears.
● Select the workspace that you created in the previous step.
● In the left-hand menu, select “Alerts.”
● Select “New alert rule.”
● Under “Condition,” click “Select condition.”
● Choose “Custom log search.”
● In the “Search query” section, enter the following - make sure to replace “object-id” with the ID you retrieved in the previous step:
SigninLogs | where UserId == "user-id"
Note that if you have multiple break glass accounts, then you can add the Object IDs for all these accounts, using the following format:
SigninLogs | where UserId == "user-id" or UserId == "user-id"
● Open the “Based on” dropdown and select “Number of results.”
● Open the “Operator” dropdown and select “Greater than.”
● In the “Threshold value” field, type “0.”
● Under “Evaluate based on,” specify how long this query should run, in minutes.
● In “Frequency,” specify how often this query should run.
● Select “Done,” and Azure will display an estimated monthly cost for this alert. Review this information, and decide whether you’re happy to proceed.
● Now, select the users who’ll receive this alert. You can either click “Select an action group” and then choose from the available groups, or you can create a new action group. For the purposes of this tutorial, I’ll be selecting all of my Office 365 admins.
● Under “Customize Actions,” select “Email subject.”
● In “Subject line,” create the email that’ll be sent to all of your Office 365 admins.
● Under “Alert Detail rules,” give this rule a descriptive name.
● Open the “Severity” dropdown and assign this rule a severity level. Since break glass accounts are privileged accounts, I recommend using “Sev 0,” as this is the highest severity level.
● Select “Enable rule upon creation.”
● If you’re happy with the information you’ve entered, then click “Create alert rule.”
And that’s it! All of your Office 365 admins will now receive an email, every time someone signs into your break glass account(s).
Share this article on social media
If you found this article useful, please share it on social media.
Subscribe to our blog...
We will only use your email to send you new blog posts.
Don’t get locked out. Creating an emergency break glass account for Office 365.Don’t get locked out of your Office 365 tenant! Even if you have multiple Office 365 admin accounts, there are plenty of worst case scenarios and edge cases that can cause you to temporarily, or even permanently lose access to your Office 365 tenant. Perhaps… Read More
Reduce help desk calls by 50% – How to enable Self Service Password ResetImagine the scenario: your employee is scrambling to meet a deadline for your most important customer, but when they try to log into their account they realise they’ve forgotten their password. Unfortunately, your Azure AD admin is in a completely different timezone and they’re… Read More
Artificial Intelligence. The Key to Reducing Workplace Distractions.Do you want to boost staff productivity by 50%? According to Gloria Mark, Professor in the Department of Informatics at the University of California, it takes 23 minutes and 15 seconds for an employee to regain focus following a distraction – so that quick, 30 second question could be… Read More
Are your privileged accounts putting your business at risk? According to a survey by security services provider Centrify, 66% of companies have been breached five times or more, and 74% of these breaches involved access to a privileged account. If a malicious third party manages to gain access to one of your privileged accounts, then the effects… Read More
Why digital transformation is key to post-COVID-19 economic recoveryThe COVID-19 pandemic has fundamentally changed the way we live and work. Now, with countries beginning to lift restrictions and non-essential shops starting to re-open, many businesses are taking stock of the past few months and wondering: Where do we go from here? The Coronavirus outbreak forced businesses to undergo… Read More
Loneliness. The biggest challenge facing your remote workforce.Working from home has lots of benefits, but it also has a dark side, with 20% of remote workers admitting they struggle with loneliness. While most people feel lonely at some point in their lives, long-term loneliness can be disastrous for your physical and mental health. Studies have shown that… Read More
COVID-19 causes rise in cyberattacks. How to close a dangerous security loophole. The number of cyberattacks has increased dramatically since the start of the COVID-19 pandemic. In the first quarter of 2020, fraud prevention specialists Arkose Labs recorded the highest ever number of attacks, with 445 million cyberattacks taking place within this period. “As face-to-face interactions dwindle, digital… Read More
Replace these 5 popular apps with a single Microsoft Teams accountHow do your employees communicate and collaborate with one another? Do they have easy access to an integrated platform that meets all of their co-working needs? Or do they use different applications for different tasks? If your employees use separate applications for sharing files, arranging meetings,… Read More
How tech is helping parents and carers work from homeWhen you imagined the life of a remote worker, chances are it involved working from adedicated home office, surrounded by all the comforts of home with zero distractions. You probably didn’t imagine being stuck in the house 24/7, trying to meet your deadlines whilealso having to deal… Read More
Flexible Working The Key to a Happier WorkforceAre your employees happy? According to a recent report, 88% of UK companies agree they have an emotional duty of care to their employees – so if your employees are unhappy, then it’s your job to do something about it! The report, undertaken by strategic insight agency Opinium, concluded… Read More
