Emergency access accounts help organizations restrict privileged access in an existing cloud environment. These accounts are highly privileged and are not assigned to specific individuals. Emergency access accounts are limited to scenarios where normal administrative accounts can’t be used. Organizations must limit the emergency account’s usage to only the necessary amount of time. it is important that you prevent being inadvertently locked out of your cloud tenant because you can’t sign in or activate an existing individual user’s account as an administrator. You can mitigate the impact of inadvertent lack of administrative access by creating two or more emergency access accounts in your tenant.

Emergency access accounts are limited to emergency or ‘break glass’ scenarios where normal administrative accounts cannot be used. Organizations must maintain a goal of restricting the emergency account’s usage to only the times when it is absolutely necessary.

Evaluate the accounts that are assigned or eligible for the global admin role. If you don’t see any cloud-only accounts by using the *.onmicrosoft.com domain (intended for emergency access), create them. Consider excluding one account from the MFA and the other from Conditional Access.

Turn on Azure AD Privileged Identity Management (PIM). After you turn on Privileged Identity Management, you’ll receive notification email messages for privileged access role changes. These notifications provide early warning when additional users are added to highly privileged roles in your directory.

Role-based Access Control (RBAC) is probably the most ignored security option in Office365. Of the hundreds of clients that I have worked with, there have been only a handful of them that have explored the option of enabling RBAC. Access management for cloud resources is critical for any organization that uses the cloud. RBAC helps IT admin manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.

This feature is designed to allow specific groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.

You can use RBAC to assign permissions to users, groups, and applications at a certain scope. The scope of a role assignment can be a subscription, a resource group, or a single resource.

Best practice: Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, allow only certain actions at a particular scope. Use built-in RBAC roles in Azure to assign privileges to users.