Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
If organizations provision break-glass access in Azure Active Directory (AD), we recommend using native tools to ensure continued administrative access.
By leveraging password vaulting or multifactor authentication (MFA), the access can be secured against accidental or malicious use. This piece explains the primary options to consider and pitfalls to avoid when creating a break-glass capability in
Break-glass access is a resiliency tactic to ensure privileged and administrative access in the event of an outage or availability impact. This could be due to personnel issues, for example, when the individual who normally performs these tasks and has
administrative access in the Azure tenant becomes unreachable or unavailable. More often, it is due to an outage in primary or secondary authentication. The identity provider is down and the primary credentials for normal administrators become unavailable.
Alternatively, the MFA service is down and, therefore, the secondary credentials for normal administrators are unavailable. Because accidents happen, it is important to have a backup set of privileged credentials.
A break-glass credential is unused except in case of emergency. The account must be a shared account and it must not belong to one individual. In fact, the two-person rule – where access requires the presence of two authorized people, and no one
person can achieve access alone – is typically part of the break-glass model.
There are three commonly used patterns for creating emergency administrative credentials:
When you provision the emergency credential in Azure AD as a global administrator account, consider:
The following are common mistakes to avoid with break-glass accounts:
Break-glass access is an important resiliency tactic. To ensure success, consider:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
November 30, 2023
By IANS Research
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.
November 28, 2023
Use this checklist of best practices, designed to help CISOs and cybersecurity leaders protect their organizations and avoid SEC compliance missteps.
November 21, 2023
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Organization and Compensation Benchmark Report. Gain valuable insights on functional leadership compensation to hire and retain top security talent.