Tutorial / Cram Notes
Break-glass accounts are special accounts that have high-level privileges sufficient to access systems and data during emergencies, such as if the primary access management system fails or in case of a security breach. For individuals preparing for the SC-300 Microsoft Identity and Access Administrator exam, understanding how to create and manage these accounts is essential due to their role in the resilience and recovery planning within an organization.
Understanding Break-Glass Accounts
Break-glass accounts are typically not used for day-to-day work but are reserved for critical situations where normal administrative accounts are not accessible. These accounts should have strong security measures to prevent unauthorized use and should be monitored closely.
When creating break-glass accounts on Azure AD or other Microsoft services, certain best practices should be followed:
- Only create the minimum number of break-glass accounts necessary to ensure business continuity. The fewer such accounts exist, the lower the risk of one being misused.
- Enforce strong password policies, ideally using a passphrase that’s complex and lengthy. Additionally, consider hardware-based multi-factor authentication (MFA) devices that cannot be easily duplicated or bypassed.
- Break-glass accounts should not be associated with any individual user’s regular identity and should not be used for routine administrative tasks.
- Limit permissions to what is absolutely necessary to perform emergency tasks, following the principle of least privilege.
- Implement an auditing and monitoring solution to ensure all actions taken with break-glass accounts are logged and reviewed.
- Regularly review the need for each break-glass account, revising or revoking access as necessary. Regularly change passwords and re-confirm the necessity of the MFA devices being used.
Creating a Break-Glass Account in Azure AD
- Ensure that Multi-Factor Authentication is set for the account. Although this is an emergency account, security should never be compromised.
-
Account Configuration:
- Set a unique and complex password.
- Assign only the necessary administrative roles.
- Exclude the account from Conditional Access policies that can potentially lock out administrators.
- Document the account creation, purpose, and access protocol. Store this documentation securely and ensure it is accessible by those who may need it in an emergency.
Managing Break-Glass Accounts
For management purposes, keep a secure and updated record of the following details:
| Detail | Description |
|---|---|
| Account Username | Unique identifier for the break-glass account. |
| Purpose | Reason for the account’s existence and expected use cases. |
| Access Protocol | Step-by-step procedures on how and when to use the account. |
| Last Password Change | Date when the password was last changed. |
| Auditing Information | Records of access and actions taken with the account. |
Usage Protocol
Develop a clear and concise protocol for utilizing break-glass accounts, which includes:
- Identification of situations where the use of a break-glass account is warranted.
- Steps for obtaining approval to use the account.
- Procedures to access the system using the break-glass account.
- Immediate steps to alert the security team once access is gained for monitoring purposes.
- Post-incident actions, such as changing the password after use and documenting the reason for and actions taken during the use of the account.
Example Emergency Scenario
In a situation where Azure AD Conditional Access policies are not functioning properly, and primary admin accounts are locked out, a break-glass account would be used. The authorized personnel would authenticate with the strong passphrase and hardware MFA token, gain access to the Azure portal, and begin diagnosing the issue with Azure AD.
The security team would be immediately notified of the account usage. They would monitor the actions taken in real-time to ensure no unauthorized operations are performed. Following the resolution of the issue, the password for the break-glass account would be changed, and an incident report documenting the use of the account would be created.
In summary, for the SC-300 Microsoft Identity and Access Administrator exam, understanding how to effectively create and manage break-glass accounts is vital for emergency access and ensures that even during critical failures or security incidents, the integrity and accessibility of the system remain intact. Technical skills should be matched with procedural knowledge to ensure these powerful accounts are a boon to security, not a hidden vulnerability.
Practice Test with Explanation
True/False: Break-glass accounts should be configured with multi-factor authentication (MFA).
- Answer: False
Break-glass accounts are designed to be used in emergency situations where normal authentication methods (like MFA) may be unavailable. These accounts have high privileges and are kept secure by other means, such as not being used on a regular basis and being monitored closely.
Which of the following is a recommended practice for securing break-glass accounts?
- A) Assign them to a regular user group.
- B) Store their passwords in a secure location, such as a physical safe.
- C) Ensure they have the same permissions as regular admin accounts.
- D) Use them periodically for non-emergency tasks to ensure they are working.
Answer: B
Break-glass account passwords should be stored in a secure location, which could be a physical safe, to prevent unauthorized access and ensure they are only used during emergency situations.
True/False: Break-glass accounts should be regularly reviewed and certified.
- Answer: True
Break-glass accounts should undergo regular reviews and certifications to ensure they remain secure and the associated risks are managed properly.
How often should break-glass account credentials be rotated?
- A) Every 30 days
- B) Only after they have been used
- C) Every 90 days
- D) Once a year
Answer: B
Break-glass account credentials should be rotated immediately after they have been used to maintain their integrity and ensure they are secure.
True/False: Break-glass accounts can be assigned permanent permissions for convenience.
- Answer: False
Break-glass accounts should not be assigned permanent permissions. They should have permissions assigned only when needed and removed immediately after the emergency is resolved to limit the risk of abuse.
True/False: Audit logs for break-glass account usage should be disabled to prevent traceability issues.
- Answer: False
Audit logs should be enabled for break-glass accounts to ensure all usage is traceable and can be reviewed in the aftermath of an emergency.
What type of notification should be configured for use of a break-glass account?
- A) No notification is needed.
- B) Normal priority notification.
- C) High priority or immediate alert.
- D) Annual summary notification.
Answer: C
High priority or immediate alerts should be configured for the use of break-glass accounts to ensure that any usage is quickly identified and can be responded to in a timely manner.
True/False: It is acceptable to share break-glass account credentials among team members.
- Answer: False
Break-glass account credentials should not be shared among team members as this would compromise the security of the account. Credentials should be kept secure and only made available to individuals on a need-to-know basis.
For accountability, what should be associated with break-glass account activities?
- A) Username of the person using the account
- B) Time and date stamp only
- C) Unique identifier for each use
- D) Both A and C
Answer: D
Each use of a break-glass account should be associated with the username of the person using the account and a unique identifier to ensure full accountability and traceability.
True/False: Enabling detailed auditing for break-glass accounts can quickly lead to log storage issues.
- Answer: False
While enabling detailed auditing will generate more logs, it is important for forensic purposes. The value of maintaining a comprehensive record outweighs the concern of log storage, which should be proactively managed.
What should be done with break-glass accounts after an incident has been resolved?
- A) Leave the account enabled for future use.
- B) Disable the account until the next incident.
- C) Delete the account to prevent misuse.
- D) Perform a full account review, rotate the password, and disable until next use.
Answer: D
After an incident, break-glass accounts should undergo a full review, have their passwords rotated, and be disabled until their next use to ensure they remain secure.
True/False: Regular users should be informed about the purpose and usage policies of break-glass accounts.
- Answer: True
While regular users should not have access to break-glass accounts, it is important for them to be aware of the purpose and usage policies as part of an organization’s overall security awareness and training program.
Interview Questions
What are break-glass accounts, and when are they typically used?
Break-glass accounts are emergency access accounts that are used to access critical systems or resources in the event of an emergency, such as a cyber-attack or natural disaster. They are typically used when standard authentication methods fail or are unavailable.
How can break-glass accounts be created in Azure AD?
Break-glass accounts can be created manually or using automated tools such as PowerShell in Azure AD.
What access controls should be set up for break-glass accounts?
Role-based access controls, multi-factor authentication, and other security measures should be set up for break-glass accounts to ensure that only authorized users can access them.
How should break-glass accounts be monitored and reviewed?
Break-glass accounts should be monitored and reviewed on a regular basis to ensure they are being used appropriately and to detect any potential security issues.
Why is it important to rotate passwords for break-glass accounts?
It’s important to rotate passwords for break-glass accounts on a regular basis to prevent unauthorized access.
What is just-in-time access, and how can it be used for break-glass accounts?
Just-in-time access can be used to provide temporary access to break-glass accounts, reducing the risk of unauthorized access.
When should break-glass accounts be disabled or deleted?
Break-glass accounts should be disabled or deleted when they are no longer needed to prevent unauthorized access.
How can break-glass accounts be integrated with Microsoft Cloud App Security?
Break-glass accounts can be integrated with Microsoft Cloud App Security to provide additional security controls.
What is the role of Azure AD Privileged Identity Management in managing break-glass accounts?
Azure AD Privileged Identity Management provides a centralized platform for managing break-glass accounts and ensuring that they are used appropriately.
How can you ensure that break-glass accounts are not abused?
To ensure that break-glass accounts are not abused, it’s important to limit the number of users who have access to them, set up access controls, and monitor them on a regular basis.
Great blog post! So helpful in understanding break-glass accounts.
How often should break-glass accounts be audited to ensure they are not being misused?
Can someone explain the principle of least privilege in the context of break-glass accounts?
Appreciate the clear explanations on this blog post.
We’ve experienced unauthorized access using break-glass accounts. What additional security measures can be implemented?
Using Privileged Identity Management (PIM) with break-glass accounts can add another layer of security.
Is it a good idea to have more than one break-glass account?
Well written but could use more examples.