By now, you’ve likely heard about Microsoft’s mandate requiring multifactor authentication (MFA) for all accounts accessing Microsoft Entra portals and APIs. If you haven’t already started, it’s time to address your break glass accounts so you don’t lose access at a critical moment.
This move is not entirely unexpected given that the security community has been championing MFA for decades. MFA became even more of a hot topic in 2016 when President Obama launched the Cyber Security National Action Plan (CNAP) urging Americans to adopt stronger security measures. Microsoft has also consistently promoted MFA as a critical defense against account compromise, and since the advent of cloud computing the clarion call for stronger authentication has only intensified.
The driver for this change is part of Microsoft’s Secure Future Initiative and is a crucial step to enhancing security and protecting organizations from potential threats. Ensuring that these break glass accounts are MFA-enabled is essential to maintaining secure and uninterrupted access during critical situations.
Break Glass Accounts Explained
Partner with Microsoft experts you can trust
If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation.
If you are not familiar with the term, “break glass” accounts are critical emergency accounts used to gain access to environments when daily administrative accounts or authentication methods fail. In Microsoft Entra they are typically cloud-only accounts that are only used for emergency access if/when something happens where you can’t use your regular accounts to access portals or apps. They are permanent members of Global Admin and are excluded from all conditional access policies. Microsoft recommends that you create two or more accounts to serve as break glass accounts.
Because they have such high privileges, it is essential that these accounts be monitored for all activity and secured with phishing resistant multifactor authentication (MFA) to prevent unauthorized access.
Historically, break glass accounts were excluded from MFA requirements. But now that Microsoft is enforcing MFA for all accounts you need to enable them for MFA as well. There are multiple options for satisfying the MFA requirement such as FIDO 2 security keys and certificates.
Each of the options has their pros and cons when it comes to expense, reliability, and administrative overhead. One of the key benefits of FIDO 2 is that it is not susceptible to cellular outages impacting the Microsoft Authenticator app or Azure MFA service interruptions. For this reason, we recommend FIDO 2 security keys be used with break glass accounts for greater security, reliability, and the least administrative overhead.
Key Benefits of FIDO2
FIDO 2 security keys are physical devices that leverage public key cryptography. The typical model is a tamper resistant USB device that can be plugged into a laptop to facilitate passwordless authentication. Some popular vendors are Yubico and Thales. The key benefits for FIDO 2 security keys are:
- Enhanced security: FIDO2 is resistant to phishing, man-in-the-middle, and replay attacks.
- User convenience: Simplifies the authentication process by eliminating the need for passwords.
- Compliance: Meets industry standards for strong authentication and is supported by major browsers and platforms.
- Longevity: FIDO 2 security keys are long lived and do not expire, like certificates.
FIDO 2 Security Key Implementation Steps
Microsoft documents how to Enable passkeys for your organization through a step-by-step process. Once passkeys are enabled as an authentication method, administrators may follow the process to register keys on the break glass accounts, as documented Register a passkey (FIDO2) with a FIDO2 security key – Microsoft Entra ID | Microsoft Learn.
Securing the Security Keys
Due to the level of access break glass accounts possess, it is of utmost importance to secure the authentication keys. Security keys should not be attached to a key chain or left in a desktop drawer. We recommend that organizations take adequate measures to securely store and retrieve the keys when needed. The following steps outline the high-level steps to secure the security keys:
- Create a minimum of two security keys for each break glass account.
- Seal the keys in tamper evident bags along with any unlock PINs.
- Create a process for a chain of custody paper trail that records the sequence of custody, control, transfer.
- Keep one key on site in a locked safe that can only be retrieved by a limited number of individuals.
- Send the other key to a secure offsite location and lock in a safe or fireproof pelican case in a secure location.
- Document a retrieval process for obtaining the security keys and test at least yearly to know the time it takes for retrieval.
- Record multiple trusted individuals within the company along with contact information that are authorized to retrieve and deliver the security keys to a designated location.
- Monitor and alert for any attempts to use the break glass accounts in any capacity.
- If PINs are required, create a process to document, secure, and rotate the PINs yearly.
An Alternative Approach Using Certificates
An alternative that meets the requirements for strong authentication are certificates. Microsoft’s document How to configure Microsoft Entra certificate-based authentication details the required steps to implement certificate-based authentication. The cost of using certificates incurs significantly more administrative overhead, however. You will need to stand up a PKI infrastructure and continually manage, monitor, and protect the service. In addition, it is important that adequate training be provided to the administrators along with written policies and procedures that are reviewed yearly.
Key Benefits of Certificates
- Enhanced security: Certificates are based on Public Key Cryptography making them phishing resistant.
- Automatic enrollment: Policies can be employed to automatically install certificates on end user devices. Once installed, it is seamless access for the end user.
- Control and compliance: Certificates comply with Microsoft’s requirements for MFA.
- Cost: If you already have an Enterprise PKI infrastructure, there is no additional cost to deploy certificates.
Key Considerations for Certificates
- A PKI certificate authority is a required component for certificate-based authentication adding to the administrative overhead.
- Certificate lifecycle management must be maintained as certificate have a “valid to” date and must be renewed.
- Root and intermediate certificate authority certificates must be uploaded into the Entra portal.
- A Certificate Revocation List (CRL) must be made publicly available.
- If the CRL is unavailable during an event, MFA will not work for the break glass accounts.
Securing the PKI Infrastructure
Securing a PKI infrastructure is much more involved and should be incorporated in daily operational practices as it must maintain the highest integrity and trustworthiness. Managing a PKI infrastructure requires specialized training for managing, operating, and implementing security best practices.
- Keep the root CA offline to protect it from network-based attacks and store it in a secure environment.
- Harden the OS for online CAs according to industry best practices.
- Use strong cryptographic algorithms.
- Disable unnecessary services.
- Patch regularly.
- Create policies that govern the issuance, revocation, and CRL publication.
- Automate certificate issuance through group policies.
- Regularly monitor and audit the configuration and perform access reviews at least yearly.
- Provide adequate training and certification for administrators.
Conclusion
With the announcement by Microsoft to enforce MFA for all accounts – including break glass accounts – that access Microsoft Entra, now is the time to enable them for strong authentication so that you don’t lose access during a critical moment. Both FIDO 2 security keys and certificates are valid options that meet the MFA requirements. However, there are some advantages to using FIDO 2 over certificates that make it our recommended option for strong authentication for break glass accounts. FIDO 2 is phishing resistant and offers better user-friendly experience with less administrative overhead for administrators than certificates. Regardless of which option you pick, now is the time to address your break glass accounts.
At Ravenswood Technology Group, we specialize in helping organizations design, implement, and manage their Active Directory and Microsoft Entra environments. If you need help getting started, review some of our other blogs such as Active Directory Design Overview | AD Security. We can also work with your team to provide an assessment using our Active Directory Health Check – Ravenswood Technology Group.
Get in touch with Ravenswood Technology Group today to learn how we can help you achieve a well-designed, secure, and efficient Active Directory or Microsoft Entra environment.
