Best Practices for Break Glass Accounts in Small Businesses

By
Amaresh Kulkarni
-
0
5
Asked By TechSavvy123 On

I'm working with small businesses that typically have fewer than five employees. I've read about the importance of having a break glass global admin account for emergencies, but I'm a bit unsure about the best practices. Could anyone clarify the following questions for me?

1) Should I create an unlicensed account with a strong password and enable MFA, but not actually set it up for regular use? Is it okay to just store the username and password somewhere safe? When I eventually need to use this account, will it prompt for a password change and MFA setup? I worry that setting up MFA now might make it harder for the owner to access it later.

2) Is it really best practice to keep this account unlicensed to prevent it from sending phishing emails or accessing unnecessary storage?

3) I saw that it's recommended to exclude this account from Conditional Access (CA). I wasn't aware that CA applies to unlicensed accounts too.

Are there any other considerations I should be aware of? Thanks!

3 Answers

Answered By ITGuy2023 On

For a break glass account, think of it as an emergency tool. It should have a long password saved safely, and MFA should definitely be set, but it shouldn't rely on a device assigned to a specific person. You could use something easily accessible in emergencies, like a hardware key. It's best not to license the account unless you absolutely need mailbox access; this reduces the risk of attacks. Also, keep in mind that you might want to exclude it from any Conditional Access policies to avoid being locked out during off-hours or from outside the usual location.

Answered By PasswordGuru On

Storing the credentials in a password manager is a smart move for handling MFA tokens as well. Also, consider using multiple break glass accounts if possible, each managed separately for additional security. And regarding Conditional Access—it's good practice to exclude this account from any location-based access policies; geolocation issues can be a real pain.

Answered By SecurityNinja77 On

I agree, the first question about not setting up MFA is a concern. Your break glass account should have MFA—ideally with something like a Yubikey or at least a TOTP code. And yes, keeping it unlicensed is wise since it doesn't require access to additional services which can introduce risks. About Conditional Access, it's crucial to ensure that your break glass account isn't affected by policies that could lock you out in an emergency!

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.