I'm setting up my first Entra tenant and I'm currently testing it out. While going through the setup, I noticed that any admin can easily reset the passwords for break glass accounts. I'm wondering how people approach this issue to avoid any mishaps or unauthorized changes. What are some strategies you use to keep these accounts secure?
1 Answer
From what I gather, you can’t fully prevent others from modifying accounts, but you can log and audit everything. Setting up alerts specifically for break glass accounts is a smart move. If those accounts get accessed or changed, you'll get an email about it. Another idea is using Azure Functions to reset passwords daily and store them in a password manager, just to keep things secure.
Totally agreed! Creating an alert policy for these sensitive accounts is super essential. It gives you a heads-up at least!