I'm trying to figure out the best way to configure break glass accounts in Azure. I'd like to restrict them based on geography or specific IP addresses, but I've heard this might not align with best practices. Can anyone share their setup or experiences?
3 Answers
We tried using geo restrictions on our break glass accounts, and it was a nightmare! When we made changes to the Conditional Access policies, we ended up locking ourselves out. I recommend keeping those accounts unrestricted and safe from geo or IP limitations.
Geo restrictions are risky. I remember a time when Microsoft accidentally confused locations, and it caused havoc! They mixed up parts of Australia with Austria, which resulted in a bunch of access issues. It's better to avoid geo-blocking entirely for these accounts.
In an emergency, you might not always be coming from a specific IP. It's best to consider that variables can change in unexpected ways. Think about what would happen if you needed to access those accounts from a different location or even if your IP changes.
Exactly! You need to think about who will be in charge of updating those policies if your situation changes.
Yeah, we had similar issues with our headquarters in Boston. Users were panicking because their login locations were incorrect, pointing to Boston when they were actually signing in from elsewhere!