Here is the process to create emergency access (Break Glass) accounts in your environment and Conditional Access policies as recommended by Microsoft. These policies should be first created in Report-only mode, then assessed for impact prior to fully enabling the policy. This is important for identifying all service accounts used in the organization prior to enabling the policy.
Policies containing App Protection Policies require BYOD (non-managed) device configuration in Intune.
Policies ensuring Compliant devices require that the devices be enrolled in Azure Active Directory and MDM status is available.
None of these policies require a subscription to Microsoft 365 Defender (ATP).
Emergency Access (Break Glass) Account
Emergency access accounts are highly privileged and are not assigned to specific individuals. They are limited to emergency or “break glass”‘ scenarios where normal administrative accounts can’t be used. Microsoft recommends maintaining a goal of restricting break-glass account use to only the times when it is absolutely necessary.
The emergency access account needs to be configured in such a way that an outage of a production system or miscreated Conditional Access Policy would not prevent login of that account. This is performed by ensuring:
- The account is not associated to an individual person and configured multi-factor authentication does not go to a private phone.
- Use a strong password and an alternate MFA method. If you use Microsoft Autenticator, as an example, use a FIDO2 key for the break glass account. Use another method, like phoning the Infrastructure Support number, for MFA on the second account.
- Do not store the password digitally, nor on the same piece of paper. Ideally, separate the password into 3 sections, on three pieces of paper that are stored in secure, separate locations.
- The account and authentication method must be set to never expire.
- Assign Global Administrator privileges statically to the account instead of using PIM.
- Exclude all break glass accounts from all conditional access policies.
- Create an alert to notify whenever a signin attempt is made on the break glass accounts.
To create the accounts, perform the following steps:
- Sign in to the Azure portal or Azure AD admin center as an existing Global Administrator.
- Select Azure Active Directory > Users.
- Select New user.
- Select Create user.
- Give the account a Username. Use the tenant.onmicrosoft.com extension (this will avoid issues with 3rd party domain names).
- Give the account a Name. Use Emergency Access Break Glass Account.
- Create a long and complex password for the account.
- Under Roles, assign the Global Administrator role.
- Under Usage location, select the appropriate location.
- Select Create.
- Repeat the process for a second account.
Conditional Access Policies
The following policies are an excerpt from Microsoft’s published list, here, that I consider as a priority. Smaller organizations that do not use 3rd party service providers may not choose all these. The first four should be present in every tenant.
001: Block access by location
With the location condition in Conditional Access, you can control access to your cloud apps based on the network location of a user. The location condition is commonly used to block access from countries/regions where your organization knows traffic shouldn’t come from.
Define Locations
- Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access > Named locations.
- Choose New location.
- Name the location Blocked Countries.
-
Choose Countries/Regions that do not contain users.
- If you choose Countries/Regions, you can optionally choose to include unknown areas.
- Do not select GPS, as this will require users to accept location sharing in Microsoft Authenticator.
- Choose Save.
Create the Conditional Access Policy
- Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-
Under Assignments, select Users or workload identities.
- Under Include, select All users.
- Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.
- Under Cloud apps or actions > Include, and select All cloud apps.
-
Under Conditions > Location.
- Set Configure to Yes
- Under Include, select Selected locations
- Select the blocked location you created for your organization.
- Click Select.
- Under Access controls > select Block Access, and click Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
002: Require multi-factor authentication for admins
Accounts that are assigned administrative rights are targeted by attackers. Requiring multifactor authentication (MFA) on those accounts is an easy way to reduce the risk of those accounts being compromised.
For this and all Conditional Access policies, we will want to exclude Break-Glass accounts, as well as service accounts such as the AD Connect Sync Account.
- Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-
Under Assignments, select Users or workload identities.
-
Under Include, select Directory roles and choose the following built-in roles:
- Global Administrator
- Application administrator
- Authentication Administrator
- Billing administrator
- Cloud application administrator
- Conditional Access Administrator
- Exchange administrator
- Helpdesk administrator
- Password administrator
- Privileged authentication administrator
- Privileged Role Administrator
- Security administrator
- SharePoint administrator
- User administrator
- Under Exclude, select Users and groups and choose the break-glass and service accounts.
-
- Under Cloud apps or actions > Include, select All cloud apps.
- Under Access controls > Grant, select Grant access, Require multifactor authentication, and click Select.
- Confirm the settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
003: Block legacy authentication
Due to the increased risk associated with legacy authentication protocols, Microsoft recommends that organizations block authentication requests using these protocols and require modern authentication.
- Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-
Under Assignments, select Users or workload identities.
- Under Include, select All users.
- Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication. Exclude at least one account to prevent yourself from being locked out. If you don’t exclude any account, you won’t be able to create this policy.
- Under Cloud apps or actions, select All cloud apps.
-
Under Conditions > Client apps, set Configure to Yes.
- Check only the boxes Exchange ActiveSync clients and Other clients.
- Select Done.
-
Under Access controls > Grant, select Block access.
- Click Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
004: Require multi-factor authentication for all off-premises users
Require all users are using multi-factor authentication to protect against unauthorized access off-premises.
For this policy, we will want to exclude Break-Glass accounts as well as service accounts such as the AD Connect Sync Account.
- Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-
Under Assignments, select Users or workload identities.
- Under Include, select All users
- Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.
-
Under Cloud apps or actions > Include, select All cloud apps.
- Under Exclude, select any applications that don’t require multifactor authentication.
- Under Access controls > Grant, select Grant access, Require multifactor authentication, and select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
If the organization chooses to not require MFA if accessing a cloud app from an on-premises location,
-
Under Assignments, select Conditions > Locations.
- Configure Yes.
- Include Any location.
- Exclude All trusted locations.
- Select Done.
- Select Done.
- Save your policy changes.
005: Require multi-factor authentication for guest access
Require guest users perform multifactor authentication, regardless of location, when accessing your organization’s resources.
- Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-
Under Assignments, select Users or workload identities.
- Under Include, select All guest and external users
- Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.
-
Under Cloud apps or actions > Include, select All cloud apps.
- Under Exclude, select any applications that don’t require multifactor authentication.
- Under Access controls > Grant, select Grant access, Require multifactor authentication, and click Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
006: Require multi-factor authentication for Azure Management
Organizations use many Azure services and manage them from Azure Resource Manager based tools like Azure portal, Azure PowerShell, and Azure CLI. These tools can provide highly privileged access to resources that can alter subscription-wide configurations, service settings, and subscription billing. To protect these privileged resources, Microsoft recommends requiring multifactor authentication for any user accessing these resources.
While this policy is configured in Report-Only mode, you will want to pay particular attention to service accounts that could be using these connections for automated services. Those accounts will need to be excluded from this policy.
- Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-
Under Assignments, select Users or workload identities.
- Under Include, select All users.
- Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.
- Under Cloud apps or actions > Include, click Select apps, choose Microsoft Azure Management, and click Select.
- Under Access controls > Grant, select Grant access, Require multifactor authentication, and click Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
007: Require compliant or Hybrid Azure AD joined device for admins
Accounts that are assigned administrative rights are targeted by attackers. Requiring users with these highly privileged rights to perform actions from devices marked as compliant or hybrid Azure AD joined can help limit possible exposure.
- Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
- Under Assignments, select Users or workload identities.
- Under Include, select Directory roles and choose built-in roles like:
- Global Administrator
- Application administrator
- Authentication Administrator
- Billing Administrator
- Cloud application Administrator
- Conditional Access Administrator
- Exchange Administrator
- Helpdesk Administrator
- Password Administrator
- Privileged authentication Administrator
- Privileged Role Administrator
- Security Administrator
- SharePoint Administrator
- User Administrator
- Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.
- Under Cloud apps or actions > Include, select All cloud apps.
- Under Access controls > Grant.
- Select Require device to be marked as compliant, and Require hybrid Azure AD joined device
- For multiple controls select Require one of the selected controls.
- Click Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
008: Block access for unknown or unsupported device platforms
Users will be blocked from accessing company resources when the device type is unknown or unsupported.
- Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-
Under Assignments, select Users or workload identities.
- Under Include, select All users
- Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.
- Under Cloud apps or actions > Include, select All cloud apps.
-
Under Conditions, select Device platforms
- Set Configure to Yes.
- Under Include, select Any device
- Under Exclude, select Android, iOS, Windows, and macOS.
- Select, Done.
- Under Access controls > Grant, select Block access, then select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
009: Require approved client apps and app protection policy with mobile devices
People regularly use their mobile devices for both personal and work tasks. While making sure staff can be productive, organizations also want to prevent data loss from applications on devices they may not manage fully. This policy will ensure that only approved apps can be used to access corporate data on non-managed devices.
- Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-
Under Assignments, select Users or workload identities.
- Under Include, select All users
- Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.
- Under Cloud apps or actions > Include, select All cloud apps.
-
Under Conditions > Filter for devices, set Configure to Yes.
- Under Devices matching the rule:, set to Include filtered devices in policy.
-
Under Rule syntax select the Edit pencil and paste the following expressing in the box, then select Apply.
- device.trustType -ne “ServerAD” -or device.isCompliant -ne True
- Select Done.
-
Under Access controls > Session
- Select Sign-in frequency, specify Periodic reauthentication, and set the duration to 1 and the period to Hours.
- Select Persistent browser session, and set Persistent browser session to Never persistent.
- Select, Select
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
010: Require compliant or Hybrid Azure AD joined device or multi-factor authentication for all users
Organizations who have deployed Microsoft Intune can use the information returned from their devices to identify devices that meet compliance requirements as defined in Intune. Policy compliance information is sent to Azure AD where Conditional Access decides to grant or block access to resources.
Requiring a hybrid Azure AD joined device is dependent on your devices already being hybrid Azure AD joined.
- Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-
Under Assignments, select Users or workload identities.
- Under Include, select All users.
- Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.
-
Under Cloud apps or actions > Include, select All cloud apps.
- If you must exclude specific applications from your policy, you can choose them from the Exclude tab under Select excluded cloud apps and choose Select.
-
Under Access controls > Grant.
- Select Require multifactor authentication, Require device to be marked as compliant, and Require hybrid Azure AD joined device
- For multiple controls select Require one of the selected controls.
- Select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
011: Use application enforced restrictions on unmanaged devices
Block or limit access to SharePoint, OneDrive, and Exchange content from unmanaged devices.
- Sign into the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.
- Browse to Azure Active Directory > Security > Conditional Access.
- Select New policy.
- Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
-
Under Assignments, select Users or workload identities.
- Under Include, select All users
- Under Exclude, select Users and groups and choose your organization’s emergency access or break-glass accounts.
-
Under Cloud apps or actions, select the following options:
- Under Include, choose Select apps.
- Choose Office 365, then select Select.
- Under Access controls > Session, select Use app enforced restrictions, then select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
Implementing these Conditional Access controls, while not all-encompassing, should help you sleep a little better at night.