Hey everyone, I'm looking for advice on how to effectively manage Break Glass Admins now that MFA is a requirement for Microsoft admin portals. We currently have a KeePass setup that's only accessible to our escalation team. With about 10 locations to oversee, implementing FIDO keys everywhere could get really tricky. Is going the PKI route a viable option? What challenges should I be aware of? And how are others handling this situation?
2 Answers
You should ideally avoid using the break glass account unless absolutely necessary, and it’s best not to set MFA on it. Instead, have alerts in place to notify you if the account is ever used. When it’s used for the first time, you can enable MFA and reset it after. If you're considering other options, there's also a useful app for break glass access that might work for you.
Right, it's also worth noting that this isn't the current recommended approach. Using phishing-resistant MFA for break glass accounts is now suggested.
We've considered setting up our global admin accounts with a different MFA solution like DUO since Microsoft allows some providers as alternatives to their Entra MFA. It seems like Microsoft is okay with a bit of risk, as they know some users might face issues with their mandatory MFA policy. Just make sure to keep stakeholders informed about this risk.
True, but remember that Microsoft's documentation actually recommends using MFA on the break glass account, so there's a bit of a contradiction there.