An emergency access (or break-glass) account is a key design consideration of your M365/Entra tenant. This would be an account that would bypass MFA and you would store the very long and unique credentials offline somewhere. This would be used in the case of configuration breakages that would lock out all your other admins or MFA service outages that meant MFA dependent on telephony or push notifications was not working.
Things are changing in Entra ID that will mean you will need to revisit your emergency access account(s). From July 2024 Microsoft are going to start requiring MFA on any access to the Azure portal and then later on (in 2025) via script access to the portal. It will not impact access to applications hosted in Azure, but to the administrative interfaces to Azure.
This includes Entra ID and so will therefore mean your emergency access account will stop working because it will start to require MFA.
Therefore I recommend that you investigate and implement the following.
- Enable FIDO2 (to be renamed Passkeys) in Entra ID Authentication Methods
- Purchase two FIDO2 hardware keys – these are made by the likes of Yubikey, Token2, Feitian and eMBW. You will need a capacitive touch based hardware key and not a fingerprint or other biometric model as you do not want to tie emergency access to a physical person. Purchase two keys per emergency access account will allow one to be a backup, just in case!
- Login with your emergency access account(s) and visit https://aka.ms/mfasetup in an in-private browser.
- Register both keys and as they are capacitive touch you will need to register a PIN against them. Store the PIN where you would otherwise have previously stored the password. You do not need to store the password anymore, and if the password was short or you might consider it weak, reset the password as well to a very long string and then forget the password (i.e. don’t write it down)! You cannot remove a password from an account in Entra ID at this time, but this will come.
- The passkey is a phish resistant MFA authentication device. It cannot be phished as it does not use a password but requires physical access to the key (via the capacitive touch sensor).
- Store the PIN offline and the passkey elsewhere securely. This now becomes your emergency access authentication. Do not use online password storage, especially that which requires Entra for authentication as that may equally be unavailable when you come to need it.
This should take 30 minutes to complete for two keys at most. Then once MFA is required for the Azure portal, logging in with the emergency access account uses the passkey device only – you do not need the password. The PIN is required as is physical contact with the device. The passkey is considered multi-factor (device + PIN) and so completes the new Microsoft enforced MFA requirement of the Azure portal.
You cannot turn off the MFA requirement for the Azure portal once it is turned on as it is not implemented via Conditional Access. You will get notice in your tenant that Microsoft are about to do this and you will have 60 days from when you are notified to when it will be enabled. I strongly recommend you do the above before your notification period even starts.
The notice from Microsoft can be found here.
Leave a Reply