Define at least two emergency access accounts. (Best Practice 9/10)

Emergency access accounts help organizations restrict privileged access in an existing cloud environment. These accounts are highly privileged and are not assigned to specific individuals. Emergency access accounts are limited to scenarios where normal administrative accounts can’t be used. Organizations must limit the emergency account’s usage to only the necessary amount of time. it is important that you prevent being inadvertently locked out of your cloud tenant because you can’t sign in or activate an existing individual user’s account as an administrator. You can mitigate the impact of inadvertent lack of administrative access by creating two or more emergency access accounts in your tenant.

Emergency access accounts are limited to emergency or ‘break glass’ scenarios where normal administrative accounts cannot be used. Organizations must maintain a goal of restricting the emergency account’s usage to only the times when it is absolutely necessary.

Evaluate the accounts that are assigned or eligible for the global admin role. If you don’t see any cloud-only accounts by using the *.onmicrosoft.com domain (intended for emergency access), create them. Consider excluding one account from the MFA and the other from Conditional Access.

 

Feel Free to Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.