Best Practice: Create a break-glass admin account

Best Practice: Create a break-glass admin account

I infrequently write about the different best practices that might sometimes be overlooked within Microsoft cloud deployments. This week, I want to highlight the urgency and criticality of having and maintaining a break-glass admin account.

What is it?

A break-glass admin account is an account you do not usually need to use. It’s for those moments when things do not work as expected, and you need to access your Azure and Microsoft 365 tenants as a global admin.

It’s different from your day-to-day administrative accounts in that it has to conform to the following specifications:

  • It has to be cloud-only identity (i.e. not federated with your on-premises)
  • It must have the .onmicrosoft.com -domain in the UPN (i.e. not a custom domain)
  • It must have a complex password (like all of your accounts, but this extra much so)
  • You have to carefully consider which strong authentication approach to utilize

But why? For starters, when things start to fail – such as your identity synchronization setup breaking – you have to have an account that can bypass any of your federated authentication setups. For this reason, it must be a cloud-only identity and in the form of account@tenant.onmicrosoft.com.

The complex password requirement is obvious. This account is rarely used, so the password must be extra secure.

Strong authentication considerations

Lastly, you need to evaluate the best approach for securing this account beyond a regular password. This is a bit more challenging to plan for, as you should separate this account from utilizing the exact MFA requirements as all your standard accounts. This is so that if the MFA infrastructure has deteriorated, you can still access your tenant. At the same time, you have the opportunity to use a FIDO2-based physical token if that suits your current setup.

If your regular users are forced to use MFA, consider using a passwordless approach for this account. See here for in-depth considerations on MFA dependencies.

Can you leave the break-glass admin account without MFA or equivalent? Perhaps, but it isn’t recommended – even if you utilize a strong and complex password. In either case, store the password securely somewhere fail-safe. I find that a post-it note works well, but it has to be divided into 2-3 pieces, and each piece has to be in a separate (but accessible) location.

In closing

Maintaining a break-glass admin account is highly useful when you require emergency access to your Azure and Microsoft 365 tenants. Test this account frequently to ensure it works and that the procedure for retrieving the password (and strong authentication details) works as planned.