Break the glass strategy

Let’s talk about Break the glass strategy – the Last resort plan enacted in emergency situations!

A break the glass strategy is a last resort plan for use in emergency situations. In medical or IT contexts, it can refer to how security systems can be overridden in case of emergency. We often see the “break glass” together with activating the fire alarm. It is a quick means for a person who does not have access privileges to certain information to gain access when necessary.

It’s important that you prevent being accidentally locked out of your Microsoft Entra tenant because you can’t sign in or activate another user’s account as an administrator. We can mitigate the impact of accidental lack of administrative access by creating two or more emergency access accounts.

The emergency access with a Break the glass account is not assigned to a specific person and the access is highly privileged. Emergency access accounts are limited to emergency or “break glass” scenarios where normal administrative accounts can’t be used like majour service outage in central services like PIM or MFA. I highly recommend that these accounts are never to be used when there are other options available.

Golden rules for Break the glass accounts

  • Exclude them from the Conditional Access policies as we don’t want the policy to block our access while we are in an incident.
  • Enroll your BTG account to FIDO2 for MFA!
  • Separat on-premises and cloud administrator accounts (that includes the BTG account as well)
  • Store the key at a separate location.
  • Monitor the signing and audit logs to gain insights for whenever the account is used.
  • Have written routines for the setup and usage of the break the glass account.
  1. Enable passkeys (FIDO2) for your organization (https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-enable-passkey-fido2?wt.mc_id=SEC-MVP-5005095)
  2. Create separate break the glass accounts
  3. Enroll the new accounts with FIDO2 (https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey-with-security-key?wt.mc_id=SEC-MVP-5005095)
  4. Store the FIDO2 key and pin safely
  5. Exclude the BTG account from all Conditional Access policies
  6. Monitor sign-in events from these accounts.

Exclude the break the glass account from Conditional Access Policies

  1. Sign in to the https://entra.microsoft.com as at least “Conditional Access administrator”
  2. Browse to Protection > Conditional Access
  3. Under Conditional Access, select Policies
  4. Select the first Policy in the list
  5. Under the Assignments scope > Users
  6. Navigate to the Exclude section
  7. Select “Users and groups” and add your break the glass account

Create an Azure monitor alert rule

  1. Sign in to the Azure portal as at least a Monitoring Contributor.
  2. Browse to Monitor > Log Analytics workspaces.
  3. Select a workspace.
  4. In your workspace, select Alerts > New alert rule.
    1. Under Resource, verify that the subscription is the one with which you want to associate the alert rule.
    2. Under Condition, select Add.
    3. Select Custom log search under Signal name.
    4. Under Search query, enter the following query, inserting the object IDs of the two break glass accounts.
// Search for a single Object ID (UserID)
SigninLogs
| project UserId 
| where UserId == "f828e051-0000-470d-0000-07d7ddf808a8"

// Search for multiple Object IDs (UserIds)
SigninLogs
| project UserId 
| where UserId == "f828e051-0000-470d-0000-07d7ddf808a8" or UserId == "d81410f1-0000-47f0-0000-4255df77b16f"

e. under Alert logic, enter the following:

  • Based on: Number of results
  • Operator: Greater than
  • Threshold value: 0

f. Under Evaluated based on, select the Period (in minutes) for how long you want the query to run, and the Frequency (in minutes) for how often you want the query to . run. The frequency should be less than or equal to the period.

g. Select Done. You can now view the estimated monthly cost of this alert.

5. Select an action group of users to be notified by the alert. If you want to create one, see Create an action group from Microsoft Learn.

6. To customize the email notification sent to the members of the action group, select actions under Customize Actions.

7. Under Alert Details, specify the alert rule name and add an optional description.

8. Set the Severity level of the event. We recommend that you set it to Critical(Sev 0).

9. Under Enable rule upon creation, leave it set as yes.

10. To turn off alerts for a while, select the Suppress Alerts check box and enter the wait duration before alerting again, and then select Save.

11. Click Create alert rule.

Routines that need to be fulfilled

routines are for you to have a documented and plan for how, when, where and who to use and manage the break the glass accounts.
A subset of routines is smart to have – here is what I recommend that every business have.

  • A routine that states the “Emergency Access routines”
  • A dedicated routine for “Break the glass”
  • A routine on how and when to rotate the FIDO2 pin
  • A routine for testing the break the glass accounts at least every 6 months.