I recently tested our disaster recovery plan using the emergency break glass account for Office 365, but the sign-in got blocked because I was logging in from an unfamiliar location. What can I do to prevent this from happening in a real emergency while still keeping the account secure? I'm looking for extra settings or best practices to ensure smooth access when needed.
7 Answers
I agree about the Conditional Access issue. For us, we have a policy that restricts break glass accounts, only allowing access from specified locations like our main office's IP addresses. This way, we maintain security while ensuring access is reliable.
For sure, make sure to exclude that account from all CA policies rather than just adding it to a group. Just excluding the account itself is the safest way to prevent any conflicts.
Have you set up security defaults or Conditional Access (CA) policies for risky sign-ins? It's a good idea to make sure that your break glass accounts are excluded from these policies to avoid issues during a real emergency. You definitely don’t want access blocked when you need it most!
You should definitely check the SignIn logs to see what exactly blocked the access. Break glass accounts should be excluded from any other conditional access policies besides the ones specifically meant for them. It's likely that a risk-based policy was causing the trouble.
This is such a common issue with CA policies. It’s really important to exempt that account from everything! By the way, if an admin goes rogue, could they disable every admin account along with the break glass account? Any way to safeguard against that?
Absolutely, just make sure that account is excluded from any Azure conditional access policies that could interfere with your DR processes. It’s crucial that it has a clear path to access when you're in a pinch.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures