Azure AD Break Glass Account: How to monitor sign ins, and why do you need one?

With the growing threats around the world everyday, bad actors are targeting Microsoft 365 ecosystem like never before. Attacks are taking place everyday and if and when they have breached in, their end goal is to go for the “keys to the kingdom”. Usually its just the end of the story when they get them. Meaning the bad actors can basically do whatever the can and harm that companies M365 related activates or ask for a ransom to release the accounts. Either way its not for the organization and admins should have a proper and a quick way to recover the accounts ASAP.

What about your existing cloud admin accounts?

It is highly recommended to enable all sorts of protection features on the Global Admin accounts and on the RBAC accounts.
MFA
PIM for Admin Roles
Risk based Conditional Access Polices


🚨The Break Glass Account🚨

The Break Glass account on the other hand is something very different and ideally no need to enforce protection to a deeper level. Well that’s for a reason. As the name implies its the “Break Glass Account” it should be your “Hail Mary” and it should be your “Last Resort”. So when the things started going haywire, you should have to have that piece of mind to get the M365 services back online ASAP. Lets discuss some key features of this account,

  • As explained previously, the Break Glass Accounts (BGA) must be there in an environment as the last resort to login in an attack event

  • NOT TO BE USED by any admin person for day to day tasks. This is the last resort account. You don’t need to use it for your daily admin tasks

  • According to Microsoft’s best practice it’s not recommended to use a federated or AD synced account as there can be issues with federation or AAD Sync or Passthrough Auth agent etc.

  • Account to be created with the .onmicrosoft.com domain – This is the best way forward as chances are you may lose access to your registered domain

  • Password – Set to not expire for this account

  • Enabling a strong authentication is a good idea just to protect the account being compromised. Read my post on How to setup FIDO

  • Should be just as a standard username – No special names, descriptions so in an attack, the actor doesn’t know about this account

  • MFA not to be activated – In a breach situation, things should happen as soon as possible to recover the environment and if you have blockers in front of the Break Glass account, it can slow down the process ad also if the MFA service didn’t work or the enrolled mobile phone had issues, admins won’t be able to complete the task. So this should be a direct account as adding a barrier can be an issue in an attack.

  • Permanent Global Admin access state in Microsoft 365 portal but not the state as “Eligible”

  • Not to add any Conditional Access Polices or not to add to any trusted networks – Same as the reason why you don’t want to have MFA on this account.
    Example: Conditional Access Policies like Geo Blocking (known networks) should not be setup

  • Password to be in a safe box (not LastPass or any other 3rd party Password Manager programs) and divide the password in to 2 sections and keep it in 2 different places.
    This is optional if you are not using FIDO2 Auth method

  • Enable monitoring and alerting on the account using Log Analytics – This is an important factor. Because you are not setting MFA or any Conditional Access Polices, monitoring the sign-in behaviour for these type of accounts is essential.(AAD P2 required) for this account so this can be monitored if needed

  • Reset the password at least every 90 days time or when a IT Team member who previously had access to BGA leaves the organization

Setup Azure AD Alerting and Reporting on the BGA using Log Analytics

Go to Azure AD > Users > Search for the BGA > Take note of the Object ID

Create the Log Analytics Workspace in the Azure Subscription

3. In the previously created Log Analytics Workspace, go to Alerts under Monitoring and select Create New Alert Rule

Go to Conditions > Add Condition > Select Custom Log Search

In the Search Query box, enter the below code

SigninLogs
| project UserId
| where UserId == “f66e7317-2ad4-41e9-8238-3acf413f7448”

Where f66e7317-2ad4-41e9-8238-3acf413f7448 is the Object ID of the BGA

In the Alert Logic section, threshold value to be 0 for the obvious reasons

In the Evaluation Based on section

Period (in minutes) – How long you want the query to run
Frequency (in minutes) – How often you want the query to run

Once completed, Press Done.

Lets create the Actions now. This is to do what if the query if there are any alerts

Under Actions click on Add Action Groups

Click on Create Action Group

In the Notifications section, Select as below

Notification Type: Email/ SMS message/ Push/ Voice

Set the Name and set the relevant notification methods and press OK

In the next section, set the Actions. This can be a Ticket to your IT Service Desk, Start running a logic app etc.

Next, set your Tags and press Create.

Come back to the Alert Rule and in the Customize actions, set the email subject and set the necessary fields in the Alert rule details and press Create alert rule button.

A sample email would look like this

If you go to Alerts, it will look like below

This will now help you to closely monitor the BGA with the help of Azure features

Final Words

According to what I’ve seen in the internet, there are only two states an organization is in. Either your company has been compromised or not compromised “yet”. Haven’t seen a state where an organization is 100% breach resistant. That being said, when it comes to a break glass account, you must use some common sense as well as use monitoring and alerting on those accounts and always use only when in a disaster situation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.