You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/users-groups-roles/directory-emergency-access.md
+6-7Lines changed: 6 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,7 +32,7 @@ An organization might need to use an emergency access account in the following s
32
32
- The person with the most recent Global Administrator access has left the organization. Azure AD prevents the last Global Administrator account from being deleted, but it does not prevent the account from being deleted or disabled on-premises. Either situation might make the organization unable to recover the account.
33
33
- Unforeseen circumstances such as a natural disaster emergency, during which a mobile phone or other networks might be unavailable.
34
34
35
-
## Create two cloud-based emergency access accounts
35
+
## Create emergency access accounts
36
36
37
37
Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the \*.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment.
38
38
@@ -43,7 +43,6 @@ When configuring these accounts, the following requirements must be met:
43
43
- The device or credential must not expire or be in scope of automated cleanup due to lack of use.
44
44
- You should make the Global Administrator role assignment permanent for your emergency access accounts.
45
45
46
-
47
46
### Exclude at least one account from phone-based multi-factor authentication
48
47
49
48
To reduce the risk of an attack resulting from a compromised password, Azure AD recommends that you require multi-factor authentication for all individual users. This group includes administrators and all others (for example, financial officers) whose compromised account would have a significant impact.
@@ -54,19 +53,19 @@ However, at least one of your emergency access accounts should not have the same
54
53
55
54
During an emergency, you do not want a policy to potentially block your access to fix an issue. At least one emergency access account should be excluded from all Conditional Access policies. If you have enabled a [baseline policy](../conditional-access/baseline-protection.md), you should exclude your emergency access accounts.
56
55
57
-
## Additional guidance for hybrid customers
56
+
## Federation guidance
58
57
59
58
An additional option for organizations that use AD Domain Services and ADFS or similar identity provider to federate to Azure AD, is to configure an emergency access account whose MFA claim could be supplied by that identity provider. For example, the emergency access account could be backed by a certificate and key pair such as one stored on a smartcard. When that user is authenticated to AD, ADFS can supply a claim to Azure AD indicating that the user has met MFA requirements. Even with this approach, organizations must still have cloud-based emergency access accounts in case federation cannot be established.
60
59
61
-
## Store devices and credentials in a safe location
60
+
## Store account credentials safely
62
61
63
62
Organizations need to ensure that the credentials for emergency access accounts are kept secure and known only to individuals who are authorized to use them. Some customers use a smartcard and others use passwords. A password for an emergency access account is usually separated into two or three parts, written on separate pieces of paper, and stored in secure, fireproof safes that are in secure, separate locations.
64
63
65
64
If using passwords, make sure the accounts have strong passwords that do not expire the password. Ideally, the passwords should be at least 16 characters long and randomly generated.
66
65
67
-
## Monitor sign-in and audit log alerts
66
+
## Monitor sign-in and audit logs
68
67
69
-
Organizations need to monitor activity from these accounts and trigger notifications to other Administrators. When you monitor the activity on break glass accounts, you can verify these accounts are only used for testing or actual emergencies. Azure Log Analytics can monitor the sign-in logs and trigger email and SMS alerts to your admins whenever break glass accounts sign-in.
68
+
Organizations should monitor sign-in and audit log activity from the emergency accounts and trigger notifications to other administrators. When you monitor the activity on break glass accounts, you can verify these accounts are only used for testing or actual emergencies. You can use Azure Log Analytics to monitor the sign-in logs and trigger email and SMS alerts to your admins whenever break glass accounts signin.
70
69
71
70
### Prerequisites
72
71
@@ -129,7 +128,7 @@ Organizations need to monitor activity from these accounts and trigger notificat
129
128
1. Add any additional actions you want to trigger.
130
129
1. Select **OK**.
131
130
132
-
## Validate accounts at regular intervals
131
+
## Validate accounts regularly
133
132
134
133
When you train staff members to use emergency access accounts and validate the emergency access accounts, at minimum do the following steps at regular intervals:
0 commit comments