Why is an Emergency Access Plan for accessing the M365 tenant?
An Emergency Access Plan ensures that your Microsoft 365 environment remains accessible, even in critical situations like an emergency.
These specialized accounts are indispensable if administrative access is blocked due to a misconfiguration or the loss of regular admin credentials.
Emergency Access Accounts allow you to maintain control over your environment and take action during critical scenarios.
Requirements
M365 Admin Role: Access to Conditional Access, EntraID User Management, and Subscriptions is necessary.
Active Subscription: An active Microsoft 365 subscription is required.
Account Creation
Link: [Entra Portal](https://entra.microsoft.com) > Identity > Users
Naming Convention: Use a standardized naming convention, e.g., "EmergencyAccount_1," to clearly identify the accounts.
Domain Selection: Use the default moera domain (.onmicrosoft) to mitigate reconnaissance attempts.
MFA Methods: Configure multiple authentication methods, such as FIDO keys, Authenticator app, and email, to maximize security.
Conditional Access Group: Assign Emergency Access Accounts to the dedicated group CA-Persona-BreakGlassAccounts to manage policies effectively.
Note: Always create two Emergency Access Accounts and store the FIDO keys in secure locations.
Conditional Access Policy
Link: Intune Portal > Devices > Conditional Access > Policies
Objective: Ensure that Emergency Access Accounts can authenticate exclusively using phishing-resistant MFA methods.
Recommended Policy Settings
Users: Target the CA-Persona-BreakGlassAccounts group (Emergency Access Users group).
Target Resources: Apply to all resources.
Grant: Allow access with the authentication strength set to "Phishing-resistant MFA."
Session: Configure sign-in frequency to 1 hour.
Note: Ensure that Emergency Access Accounts are excluded from all other Conditional Access Policies, except for the dedicated policy designed for these accounts.
Log Analytics Workspace
Link: Azure Portal
Objective: Store sign-in logs in a dedicated Log Analytics Workspace to filter and monitor access by Emergency Access Accounts.
Steps to Configure
Create a Resource Group: Set up a resource group (e.g.,
rg-signinlogs-prod-weu-01
).Create a Workspace: Configure a Log Analytics Workspace (e.g.,
log-signinlogs-prod-weu
).Log Forwarding: Navigate to Entra Portal > Monitoring & Health > Diagnostic Settings.
You can configure the Sign-In Logs to be written to the workspace, allowing extended retention (default retention for Sign-In Logs is 30 days).
Advantage
The data can now be queried using KQL (Kusto Query Language), enabling targeted searches for logins by Emergency Access Accounts.
Alert Rule
Link: Azure Portal > Resource Group > Alerts > Alert Rule
Objective: Notify the IT department whenever an Emergency Access Account is used, enabling immediate action in case of an emergency or unauthorized access.
SigninLogs
| project UserId
| where UserId == "User-ID“
User Experience
A well-defined Emergency Access plan not only enhances security but also provides a simplified yet secure user experience during critical situations. Administrators can be confident that emergency accounts are both protected from unauthorized access and readily available when needed.
Summary
Emergency Access Accounts are a critical component of the security strategy for Microsoft 365. By leveraging strong authentication methods, tailored Conditional Access policies, and monitoring via Log Analytics, these accounts can be secured effectively.
Regular reviews of Sign-In Logs enable early risk detection and swift response to potential threats.
This structured approach ensures your organization is prepared for emergencies and implements access controls optimally.