How and why you should set up an Azure AD Break the Glass account

Having a "break the glass" account is a security best practice that involves having emergency access accounts that are only used in critical situations, such as when regular access methods fail or during security incidents where regular privileged accounts and roles have been compromised. These accounts are typically highly privileged and are meant to be used in an emergency situation only.

Some scenarios where “break the glass” access is essential:

-Microsoft Authenticator MFA is unavailable, none of your Global Admins can log in as MFA is required for access

-A bad actor compromises one of your Global Admin accounts, or one of the Privileged Role Administrator accounts and removes all accounts from those groups

-A bad actor compromises an account that is able to reset password of Global Admins and resets everyone’s passwords

-A bad actor takes over an account that is an owner of an application that has Global Admin privileges, take over your tenant, removes all members from all privileged accounts ??

-A bad actor takes over a service principal that has customized privileges that allows it to remove or lock-out all visible privileged accounts

Whether each Azure Active Directory (Azure AD) subscription should have a "break the glass" account depends on your organization's security requirements and risk assessment. Here are some factors to consider:

Risk Management: Consider the potential risks and impact of not having emergency access in case of critical situations. If a regular administrative account becomes compromised or inaccessible, having a "break the glass" account can help regain control and mitigate potential damage.

Access Control: Azure AD subscriptions contain critical user and identity management functions for an organization's Azure resources. Having a highly controlled, separate account that's only used for emergencies can reduce the likelihood of unauthorized access or misuse.

Incident Response: In the event of a security incident or breach, having a dedicated "break the glass" account can facilitate a more controlled and monitored response, as the usage of this account can be logged and audited.

Principle of Least Privilege: The "break the glass" account should follow the principle of least privilege, meaning it should have only the permissions necessary to perform emergency tasks. This minimizes the potential impact if the account itself is compromised.

Securing the Account: The "break the glass" account should be created with strong authentication mechanisms, such as multi-factor authentication (MFA), and its credentials should be stored securely. Regularly review and update the security settings of this account. A recovery e-mail or SMS should be used as Factor two authentication mechanism, this would allow access when and not if Microsoft Authenticator is unavailable.

Organizational Policy: Consider whether your organization's policies or industry regulations require the presence of such accounts. Compliance requirements can influence the decision.

Usability vs. Security: Balancing the need for emergency access with the security risks associated with privileged accounts is crucial. Striking the right balance ensures that the "break the glass" account is available when needed while minimizing the risk of unauthorized access. I recommend creating a “break the glass” account as a custom RBAC role account. This way you can grant customized privileged access without creating group membership visibility such that Global Admin group members have.

Creating a custom RBAC (Role-Based Access Control) role in Azure AD that has all the permissions of a Global Admin without being visibly listed as a member of the Global Admins group involves a few steps.

How break the glass account should be created:

Create a Custom Role: Start by creating a custom role in Azure AD that includes the permissions you want. For this, you'll be working with Azure PowerShell or Azure CLI. Use the New-AzureADMSRoleDefinition (PowerShell) or az ad role definition create (Azure CLI) command. Define your custom role with the permissions you need.

Understand Global Admin Permissions: Review the permissions assigned to the Global Admin role. This can be done using PowerShell, Azure CLI, or through the Azure portal. Understand the permissions that need to be replicated.

Assign the Custom Role: Assign the custom role to the users or service principals who need those permissions. You can use PowerShell or Azure CLI to assign the role. Make sure to test the assigned permissions to ensure they match your requirements.

Avoid Visibility: To avoid the new role members being listed under the Global Admins group, you would likely need to work on suppressing the visibility of these members. This is achieved via custom RBAC role delegation. ?

Monitor and Audit: Since this approach involves custom configurations and potentially bypassing visibility controls, it's crucial to closely monitor and audit the permissions and activities of these custom roles. Make sure that log on by this “break the glass” account immediately triggers alerts to notify your organization of this access.

Regular Review: Periodically review and update the permissions assigned to the custom role. Continuously assess whether the permissions granted are still necessary, and if not, remove them to maintain the principle of least privilege.

If you need help reviewing your existing privileged access and setting up a break the glass account, please reach out to me, I am happy to help.

Complacent=Hacked