This principle is perhaps most clearly demonstrated in the concept of “break-glass” accounts. This is a crucial topic when preparing for the SC-300: Microsoft Identity and Access Administrator Exam, and is a fundamental concept in managing identity and access within an IT infrastructure.

Table of Contents

Understanding Break-Glass Accounts

A break-glass account, often referred to as a “firecall” or “emergency” account, is essentially a privileged account that is kept inactive and sealed under strict control. It is used only in a critical situation where normal administrative accounts cannot be accessed, hence the name “break glass”, as in breaking the glass to access a fire extinguisher in case of a fire.

The Role of Break-Glass Accounts

The role of these accounts is to ensure that access is never completely lost to critical systems. If normal administrative accounts are compromised or become inaccessible for any reason, a break-glass account allows for continued access so that the situation can be resolved swiftly.

A crucial point to remember is that these accounts are kept in a secure condition and only activated when needed. Using a break-glass account for routine management tasks is strongly discouraged because any compromise of this account could potentially grant an attacker unrestricted access to your environment. This is a cyber-security best practice and a critical point of knowledge for the SC-300 exam.

Creating and Managing Break-Glass Accounts

Creating a break-glass account often means creating a user account with a high level of privileges. With Microsoft Azure, the recommended practice is to assign the User Administrator or Global Administrator roles.

Here is an example of creating a break-glass account in Azure:

# Sign in to your Azure account
Connect-AzureAD

# Create a new break-glass account
$PasswordProfile=New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password=”specify-a-strong-password-here”
$PasswordProfile.ForceChangePasswordNextLogin=$False

New-AzureADUser -UserPrincipalName “BGAccount@yourdomain.com”-PasswordProfile $PasswordProfile -AccountEnabled $True

Once the account is created, you can grant it the necessary permissions:

# Assign User Administrator role
Add-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq “User Administrator”}).ObjectId -RefObjectId (Get-AzureADUser -SearchString “BGAccount@yourdomain.com”).ObjectId

The above codes sign into Azure and create a new break-glass account called “BGAccount”. The code then assigns the User Administrator role to the newly created account.

The security of a break-glass account is paramount. Diverse measures should be taken to ensure its security:

  • Unique and complex passwords: It is standard practice to utilize a strong, unique, autogenerated password.
  • Account monitoring: Regular audits and logs review will help identify any unauthorized use of the break-glass account.
  • Limited Usage: The intended use of break-glass accounts is during emergencies only.
  • Regular Password Changes: If the account is used, it is important to reset its password promptly to limit vulnerability.

Break-glass accounts are an essential cyber-security measure to ensure that there’s always a personalized pathway to critical systems during emergencies. By understanding how to create and manage these accounts, you will be well-prepared for the SC-300 Microsoft Identity and Access Administrator exam and for managing IT infrastructures.

Practice Test

True or False: Break-glass accounts are used as a security measure to prevent unauthorized access.

  • True.
  • False.

Answer: True.

Explanation: Break-glass accounts are administrative accounts used during emergencies to prevent any form of unauthorized access, especially when normal processes are unavailable or fail to function correctly.

Multiple Choice: Which of the following account should have the highest privileges?

  • a) User Account
  • b) Emergency Access Account
  • c) Break-Glass Account

Answer: c) Break-Glass Account.

Explanation: The Break-Glass account should have the highest privileges as it is designed for use during emergencies and requires unrestricted access to rectify any issue.

Single Select: Which security measure is typically associated with a break-glass account?

  • a) Firewall
  • b) Encryption
  • c) Multi-Factor Authentication

Answer: c) Multi-Factor Authentication.

Explanation: Multi-Factor Authentication (MFA) is often associated with break-glass accounts to provide an additional layer of security.

True or False: A break-glass account is not required to have an expiry date.

  • True.
  • False.

Answer: False.

Explanation: Break-glass accounts usually have an expiry date as an additional security measure to prevent misuse.

Multiple Choice: When should a break-glass account be used?

  • a) As a routine process
  • b) During security emergencies
  • c) For normal administrative tasks

Answer: b) During security emergencies.

Explanation: Break-glass accounts are intended for use during security emergencies, not for regular administrative tasks or routine processes.

Single Select: After using a break-glass account, one should?

  • a) Leave it active
  • b) Disable it
  • c) Change the password

Answer: b) Disable it.

Explanation: After using a break-glass account, it should be disabled as an essential security measure to prevent unauthorized use.

True or False: The actions performed using break-glass accounts do not need to be audited.

  • True.
  • False.

Answer: False.

Explanation: The activities conducted through break-glass accounts should always be audited thoroughly for potential security threats or unauthorized actions.

Multiple Choice: Who should have access to break-glass accounts in an organization?

  • a) All employees
  • b) Select IT administrators
  • c) Customers

Answer: b) Select IT administrators.

Explanation: In general, only a select few IT administrators should have access to the break-glass accounts, as it’s a high-privilege account used during emergencies.

True or False: Break-glass accounts should be used for day-to-day administration tasks.

  • True.
  • False.

Answer: False.

Explanation: A Break-glass account is an emergency account and should rarely be used, not for everyday administration tasks.

Single Select: In Microsoft Azure, which feature helps provide additional control and security over break-glass accounts?

  • a) Azure Firewall
  • b) Azure Active Directory
  • c) Privileged Identity Management

Answer: c) Privileged Identity Management.

Explanation: Azure’s Privileged Identity Management (PIM) feature provides additional control and security over break-glass accounts by ensuring they’re only activated when necessary and appropriately monitored.

Interview Questions

What is a break-glass account?

A break-glass account is an emergency account with elevated permissions that’s created for use in extraordinary circumstances where normal administrative access might be unavailable or compromised.

What is the primary purpose of a break-glass account in Microsoft Identity and Access Management?

The primary purpose of a break-glass account is to ensure that there’s a way to access critical systems when regular administrative accounts are locked out, or in the event of an emergency.

How should the password for a break-glass account be managed?

The password for a break-glass account should be complex, stored securely offline, and should be changed immediately following every use of the account. It is usually managed by top-level administrators or management.

Who should have access to a break-glass account?

Only a limited number of trusted senior individuals should have access to the break-glass account. These could be top-level administrators or management members.

Should the use of a break-glass account be monitored and how?

Yes. Usage of the break-glass account should be closely monitored to identify security breaches or misuse. Alert policies and monitoring systems should be in place to track its activity.

How often should the break-glass account be tested?

It is recommended to periodically test the break-glass account to ensure that it works when needed and the testing should preferably align with the company’s disaster recovery plan.

Can Privileged Identity Management (PIM) roles be assigned to a break-glass account?

No. Microsoft recommends not assigning PIM roles to the break-glass account to avoid potential security risks.

How many break-glass accounts should an organization have?

It’s recommended for an organization to have at least two break-glass accounts. This ensures there is always a backup account in case one account is locked out or compromised.

How can an Azure AD break-glass account be made more secure?

An Azure AD break-glass account can be made more secure by enabling multi-factor authentication (MFA), regularly updating the password, reducing the number of people who know the password, and monitoring the account’s usage.

Should a break-glass account be used for routine tasks?

No, a break-glass account is meant for use in emergency situations and should not be used for routine tasks.

How are break-glass accounts set up in Azure Active Directory?

Break-glass accounts are set up in Azure AD as a part of the Conditional Access policy. They have a “Baseline policy: Require MFA for admins (Preview)” which is enabled.

Are break-glass accounts exempt from certain security policies?

Yes, in certain situations like recovery scenarios, break-glass accounts may be exempted from security policies such as multi-factor authentication.

What privileges does a break-glass account hold?

A break-glass account holds the highest level of privileges such as Global Admin privileges, to ensure unrestricted access to all resources in case of emergency.

Why should the use of break-glass accounts be kept minimal?

The use of break-glass accounts should be minimal due to their elevated level of permissions. They pose a potential security risk, so their use should be restricted to emergency situations only.

What happens after using a break-glass account?

After each use of a break-glass account, an immediate password change and a review of the account activity should be performed to maintain security.

Leave a Reply

Your email address will not be published. Required fields are marked *