Skip to content
SecureCloud Experts SecureCloud Experts
Error went wrong. Please try again.
| Von Valentin Keiling

Microsoft 365 Emergency Access

Why is an Emergency Access Plan for accessing the M365 tenant?

An Emergency Access Plan ensures that your Microsoft 365 environment remains accessible, even in critical situations like an emergency.

These specialized accounts are indispensable if administrative access is blocked due to a misconfiguration or the loss of regular admin credentials.

Emergency Access Accounts allow you to maintain control over your environment and take action during critical scenarios.

Requirements

M365 Admin Role: Access to Conditional Access, EntraID User Management, and Subscriptions is necessary.

Active Subscription: An active Microsoft 365 subscription is required.

Account Creation

  • Link: [Entra Portal](https://entra.microsoft.com) > Identity > Users

  • Naming Convention: Use a standardized naming convention, e.g., "EmergencyAccount_1," to clearly identify the accounts.

  • Domain Selection: Use the default moera domain (.onmicrosoft) to mitigate reconnaissance attempts.

  • MFA Methods: Configure multiple authentication methods, such as FIDO keys, Authenticator app, and email, to maximize security.

  • Conditional Access Group: Assign Emergency Access Accounts to the dedicated group CA-Persona-BreakGlassAccounts to manage policies effectively.

Note: Always create two Emergency Access Accounts and store the FIDO keys in secure locations.

Screen Shot Emergency Account 1.
Screenshot Users.

Conditional Access Policy

Link: Intune Portal > Devices > Conditional Access > Policies

Objective: Ensure that Emergency Access Accounts can authenticate exclusively using phishing-resistant MFA methods.


Recommended Policy Settings

  • Users: Target the CA-Persona-BreakGlassAccounts group (Emergency Access Users group).

  • Target Resources: Apply to all resources.

  • Grant: Allow access with the authentication strength set to "Phishing-resistant MFA."

  • Session: Configure sign-in frequency to 1 hour.

Note: Ensure that Emergency Access Accounts are excluded from all other Conditional Access Policies, except for the dedicated policy designed for these accounts.

Screenshot Emergency Account Conditional Access | Policies.
Screenshoot - Require authentication strength.
Screenshot Sign-in frequency.

Log Analytics Workspace

Link: Azure Portal

Objective: Store sign-in logs in a dedicated Log Analytics Workspace to filter and monitor access by Emergency Access Accounts.


Steps to Configure

  1. Create a Resource Group: Set up a resource group (e.g., rg-signinlogs-prod-weu-01).

  2. Create a Workspace: Configure a Log Analytics Workspace (e.g., log-signinlogs-prod-weu).

  3. Log Forwarding: Navigate to Entra Portal > Monitoring & Health > Diagnostic Settings.

You can configure the Sign-In Logs to be written to the workspace, allowing extended retention (default retention for Sign-In Logs is 30 days).


Advantage

The data can now be queried using KQL (Kusto Query Language), enabling targeted searches for logins by Emergency Access Accounts.

Dieagnostic setting - SignInLogs.

Alert Rule

Link: Azure Portal > Resource Group > Alerts > Alert Rule

Objective: Notify the IT department whenever an Emergency Access Account is used, enabling immediate action in case of an emergency or unauthorized access.

SigninLogs 
| project UserId 
| where UserId == "User-ID“ 
Screenshot Alert rule.
Screenshot Logs Microsoft Azure.
Alert logic.
Microsoft Azure Create an alert rule.
Microsoft Azure Alerts.
Alert Rules.

User Experience

A well-defined Emergency Access plan not only enhances security but also provides a simplified yet secure user experience during critical situations. Administrators can be confident that emergency accounts are both protected from unauthorized access and readily available when needed.

Summary

Emergency Access Accounts are a critical component of the security strategy for Microsoft 365. By leveraging strong authentication methods, tailored Conditional Access policies, and monitoring via Log Analytics, these accounts can be secured effectively.

Regular reviews of Sign-In Logs enable early risk detection and swift response to potential threats.

This structured approach ensures your organization is prepared for emergencies and implements access controls optimally.

Screenshot Emergency Access Account 2.