MicrosoftDocs
diff --git a/‎articles/active-directory/users-groups-roles/directory-emergency-access.md
Lines changed: 72 additions & 13 deletions b/‎articles/active-directory/users-groups-roles/directory-emergency-access.md
Lines changed: 72 additions & 13 deletions
diff --git a/‎articles/active-directory/users-groups-roles/media/directory-emergency-access/action-group-image3.png
150 KB b/‎articles/active-directory/users-groups-roles/media/directory-emergency-access/action-group-image3.png
150 KB
diff --git a/‎articles/active-directory/users-groups-roles/media/directory-emergency-access/alert-image2.png
69 KB b/‎articles/active-directory/users-groups-roles/media/directory-emergency-access/alert-image2.png
69 KB
diff --git a/‎articles/active-directory/users-groups-roles/media/directory-emergency-access/query-image1.png
171 KB b/‎articles/active-directory/users-groups-roles/media/directory-emergency-access/query-image1.png
171 KB
@@ -1,11 +1,11 @@
 ---
 
 title: Manage emergency access administrator accounts - Azure Active Directory | Microsoft Docs
-description: This article describes how to use emergency access accounts to help prevent being inadvertently locked out of your Azure Active Directory (Azure AD) tenant. 
+description: This article describes how to use emergency access accounts to help prevent being inadvertently locked out of your Azure Active Directory (Azure AD) organization. 
 services: active-directory 
 author: markwahl-msft
 ms.author: curtand
-ms.date: 03/19/2019
+ms.date: 09/09/2019
 ms.topic: conceptual
 ms.service: active-directory
 ms.subservice: users-groups-roles
@@ -17,13 +17,13 @@ ms.collection: M365-identity-device-management
 
 # Manage emergency access accounts in Azure AD
 
-It is important that you prevent being inadvertently locked out of your Azure Active Directory (Azure AD) tenant because you can't sign in or activate an existing individual user's account as an administrator. You can mitigate the impact of inadvertent lack of administrative access by creating two or more *emergency access accounts* in your tenant.
+It is important that you prevent being accidentally locked out of your Azure Active Directory (Azure AD) organization because you can't sign in or activate another user's account as an administrator. You can mitigate the impact of accidental lack of administrative access by creating two or more *emergency access accounts* in your organization.
 
-Emergency access accounts are highly privileged, and they are not assigned to specific individuals. Emergency access accounts are limited to emergency or 'break glass' scenarios where normal administrative accounts cannot be used. Organizations must maintain a goal of restricting the emergency account's usage to only the times when it is absolutely necessary.
+Emergency access accounts are highly privileged, and they are not assigned to specific individuals. Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used. We recommend that you maintain a goal of restricting emergency account use to only the times when it is absolutely necessary.
 
 This article provides guidelines for managing emergency access accounts in Azure AD.
 
-## When would you use an emergency access account?
+## Why use an emergency access account
 
 An organization might need to use an emergency access account in the following situations:
 
@@ -32,7 +32,7 @@ An organization might need to use an emergency access account in the following s
 - The person with the most recent Global Administrator access has left the organization. Azure AD prevents the last Global Administrator account from being deleted, but it does not prevent the account from being deleted or disabled on-premises. Either situation might make the organization unable to recover the account.
 - Unforeseen circumstances such as a natural disaster emergency, during which a mobile phone or other networks might be unavailable. 
 
-## Create two cloud-based emergency access accounts
+## Create emergency access accounts
 
 Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the \*.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment.
 
@@ -43,7 +43,6 @@ When configuring these accounts, the following requirements must be met:
 - The device or credential must not expire or be in scope of automated cleanup due to lack of use.  
 - You should make the Global Administrator role assignment permanent for your emergency access accounts. 
 
-
 ### Exclude at least one account from phone-based multi-factor authentication
 
 To reduce the risk of an attack resulting from a compromised password, Azure AD recommends that you require multi-factor authentication for all individual users. This group includes administrators and all others (for example, financial officers) whose compromised account would have a significant impact.
@@ -54,24 +53,84 @@ However, at least one of your emergency access accounts should not have the same
 
 During an emergency, you do not want a policy to potentially block your access to fix an issue. At least one emergency access account should be excluded from all Conditional Access policies. If you have enabled a [baseline policy](../conditional-access/baseline-protection.md), you should exclude your emergency access accounts.
 
-## Additional guidance for hybrid customers
+## Federation guidance
 
 An additional option for organizations that use AD Domain Services and ADFS or similar identity provider to federate to Azure AD, is to configure an emergency access account whose MFA claim could be supplied by that identity provider.  For example, the emergency access account could be backed by a certificate and key pair such as one stored on a smartcard.  When that user is authenticated to AD, ADFS can supply a claim to Azure AD indicating that the user has met MFA requirements.  Even with this approach, organizations must still have cloud-based emergency access accounts in case federation cannot be established. 
 
-## Store devices and credentials in a safe location
+## Store account credentials safely
 
 Organizations need to ensure that the credentials for emergency access accounts are kept secure and known only to individuals who are authorized to use them. Some customers use a smartcard and others use passwords. A password for an emergency access account is usually separated into two or three parts, written on separate pieces of paper, and stored in secure, fireproof safes that are in secure, separate locations.
 
 If using passwords, make sure the accounts have strong passwords that do not expire the password. Ideally, the passwords should be at least 16 characters long and randomly generated.
 
-
 ## Monitor sign-in and audit logs
 
-Monitor the [Azure AD sign-in and audit logs](../reports-monitoring/concept-sign-ins.md) for any sign-ins and audit activity from the emergency access accounts. Normally, these accounts should not be signing in and should not be making changes, so use of them is likely to be anomalous and require security investigation.
+Organizations should monitor sign-in and audit log activity from the emergency accounts and trigger notifications to other administrators. When you monitor the activity on break glass accounts, you can verify these accounts are only used for testing or actual emergencies. You can use Azure Log Analytics to monitor the sign-in logs and trigger email and SMS alerts to your admins whenever break glass accounts sign in.
+
+### Prerequisites
+
+1. [Send Azure AD sign-in logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics) to Azure Monitor.
+
+### Obtain Object IDs of the break glass accounts
+
+1. Sign in to the [Azure portal](https://portal.azure.com) with an account assigned to the User administrator role.
+1. Select **Azure Active Directory** > **Users**.
+1. Search for the break glass account and select the user’s name.
+1. Copy and save the Object ID attribute so that you can use it later.
+1. Repeat previous steps for second break glass account.
+
+### Create an alert rule
+
+1. Sign in to the [Azure portal](https://portal.azure.com) with an account assigned to the XXXX role.
+1. Select **All services**", enter "log analytics" and select **Log Analytics workspaces**.
+1. Select a workspace.
+1. In your workspace, select **Alerts** > **New alert rule**.
+    1. Under **Resource**, verify that the subscription is the one with which you want to associate the alert rule.
+    1. Under **Condition**, select **Add**.
+    1. Select **Custom log search** under **Signal name**.
+    1. Under **Search query**, enter the following query, inserting the object IDs of the two break glass accounts.
+        > [!NOTE]
+        > For each additional break glass account you want to include, add another "or UserId == "ObjectGuid"" to the query.
+
+        ![Add the object IDs of the break glass accounts to an alert rule](./media/directory-emergency-access/query-image1.png)
+
+    1. Under **Alert logic**, enter the following:
+
+        - Based on: Number of results
+        - Operator: Greater than
+        - Threshold value: 0
+
+    1. Under **Evaluated based on**, select the **Period (in minutes)** for how long you want the query to run, and the **Frequency (in minutes)** for how often you want the query to run. The frequency should be less than or equal to the period.
+
+        ![alert logic](./media/directory-emergency-access/alert-image2.png)
+
+    1. Select **Done**. You may now view the estimated monthly cost of this alert.
+1. Select an action group of users to be notified by the alert. If you want to create one, see [Create an action group](#create-an-action-group).
+1. To customize the email notification sent to the members of the action group, select actions under **Customize Actions**.
+1. Under **Alert Details**, specify the alert rule name and add an optional description.
+1. Set the **Severity level** of the event. We recommend that you set it to **Critical(Sev 0)**.
+1. Under **Enable rule upon creation**, leave it set as **yes**.
+1. To turn off alerts for a while, select the **Suppress Alerts** check box and enter the wait duration before alerting again, and then select **Save**.
+1. Click **Create alert rule**.
+
+### Create an action group
+
+1. Select **Create an action group**.
+
+    ![create an action group for notification actions](./media/directory-emergency-access/action-group-image3.png)
+
+1. Enter the action group name and a short name.
+1. Verify the subscription and resource group.
+1. Under action type, select **Email/SMS/Push/Voice**.
+1. Enter an action name such as **Notify global admin**.
+1. Select the **Action Type** as **Email/SMS/Push/Voice**.
+1. Select **Edit details** to select the notification methods you want to configure and enter the required contact information, and then select **Ok** to save the details.
+1. Add any additional actions you want to trigger.
+1. Select **OK**.
 
-## Validate accounts at regular intervals
+## Validate accounts regularly
 
-To train staff members to use emergency access accounts and validate the emergency access accounts, do the following minimum steps at regular intervals:
+When you train staff members to use emergency access accounts and validate the emergency access accounts, at minimum do the following steps at regular intervals:
 
 - Ensure that security-monitoring staff are aware that the account-check activity is ongoing.
 - Ensure that the emergency break glass process to use these accounts is documented and current.