1.1.2 Ensure two emergency access accounts have been defined

Information

Emergency access or 'break glass' accounts are limited for emergency scenarios where normal administrative accounts are unavailable. They are not assigned to a specific user and will have a combination of physical and technical controls to prevent them from being accessed outside a true emergency. These emergencies could be due to several things, including:

Technical failures of a cellular provider or Microsoft related service such as MFA.

The last remaining Global Administrator account is inaccessible.

Ensure two Emergency Access accounts have been defined.

Note: Microsoft provides several recommendations for these accounts and how to configure them. For more information on this, please refer to the references section. The CIS Benchmark outlines the more critical things to consider.

Rationale:

In various situations, an organization may require the use of a break glass account to gain emergency access. In the event of losing access to administrative functions, an organization may experience a significant loss in its ability to provide support, lose insight into its security posture, and potentially suffer financial losses.

Impact:

If care is not taken in properly implementing an emergency access account this could weaken security posture. Microsoft recommends to exclude at least one of these accounts from all conditional access rules therefore passwords must have sufficient entropy and length to protect against random guesses. FIDO2 security keys may be used instead of a password for secure passwordless solution.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Step 1 - Create two emergency access accounts:

Navigate to Microsoft 365 admin center https://admin.microsoft.com

Expand Users > Active Users

Click Add user and create a new user with this criteria:

Name the account in a way that does NOT identify it with a particular person.

Assign the account to the default .onmicrosoft.com domain and not the organization's.

The password must be at least 16 characters and generated randomly.

Do not assign a license.

Assign the user the Global Administrator role.

Repeat the above steps for the second account.

Step 2 - Exclude at least one account from conditional access policies:

Navigate Microsoft Entra admin center https://entra.microsoft.com/

Expand Protection > Conditional Access.

Inspect the conditional access policies.

For each rule add an exclusion for at least one of the emergency access accounts.

Users > Exclude > Users and groups and select one emergency access account.

Step 3 - Ensure the necessary procedures and policies are in place:

In order for accounts to be effectively used in a break glass situation the proper policies and procedures must be authorized and distributed by senior management.

FIDO2 Security Keys, if used, should be locked in a secure separate fireproof location.

Passwords should be at least 16 characters, randomly generated and MAY be separated in multiple pieces to be joined on emergency.

Note: Additional suggestions for emergency account management:

Create access reviews for these users.

Exclude users from conditional access rules.

Warning: If CA (conditional access) exclusion is managed by a group, this group should be added to PIM for groups (licensing required) or be created as a role-assignable group. If it is a regular security group, then users with the Group Administrators role are able to bypass CA entirely.

Default Value:

Not defined.

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2

Plugin: microsoft_azure

Control ID: a3c8afc2df9ffddeef41b1fa94572ae8f2a1eabac2b5624b4df5857ba4557461