I accidentally locked myself out while testing a new Conditional Access rule. When I tried to use our emergency access account, I found out that the MFA enrollment had expired, and the account was disabled due to inactivity. I called Microsoft support, but it took four hours to regain access, leaving the whole company unable to authenticate. My CEO even had to use personal email to attend calls! We thought we had a solid break-glass procedure, but it failed because our emergency accounts were affected by the same policies that caused the lockout. How can I properly test emergency access without triggering a problem, and how can I keep these accounts active without compromising their purpose of being dormant?
3 Answers
When it comes to testing emergency access, triggering the alarm is actually part of the process! Log in with your break-glass account, and your Security Operations or SIEM should notify you. If they call it a false positive, then you've successfully confirmed that the system works! But also, be sure you're rotating the password regularly, which seems to be another issue here.
To avoid issues like this, break-glass accounts should never be included in Conditional Access policies. Here are some best practices:
- Keep a global admin active without Privileged Identity Management (PIM).
- Make sure no Conditional Access policies apply to these accounts.
- Use the onmicrosoft domain for their login.
- Store credentials in two different places using separate authentication methods.
- Regularly check on these accounts, at least once every quarter. Before the upcoming deadlines for MFA exemptions, they might have been excluded, but that's changing now.
It sounds like your plan for emergencies might need some tweaks. Consider creating an emergency management group that's specifically exempt from these policies. This way, you can be sure that your break-glass accounts won't fall under the same restrictions as regular accounts. That could prevent this kind of lockout in the future.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures