WordPress.com
Break Glass Routine for Azure AD/Office 365ORGANIZATION NAME2020-01-01Introduction341376099568000Identity protection solutions such as Conditional Access and MFA are key security features to protect your organization from identity-based attacks in Azure AD and Office 365. However, it is important to have an emergency plan in place in case any of these features would lock out users and administrators due to misconfiguration or downtime. There are also other key identity infrastructure services such as Azure AD Connect, federation, DNS, and custom domains that can break and cause major concerns for authentication against Azure AD.This document describes the organization's Break Glass Routine that allows global administrators to login to admin portals and other tools in the event of operational problems for troubleshooting and remediation purposes.The routine must only be used in case of emergency!Break Glass AccountsThere are two special "Break Glass" accounts in the organization. These accounts may be used for an emergency sign-in in the Azure Portal and other administration portals for debugging and operations:Username - Account 1CUSTOMER-17283@CUSTOMER.Username - Account 2CUSTOMER-83927@CUSTOMER.These accounts have been assigned the global administrator role and has passwords that are long and complex and that nobody in the organization should have knowledge of. The passwords are stored in two sealed envelopes in a safe place (see routine).These accounts have the following properties to reduce dependencies to different functions and infrastructure:Global Admin (not PIM enabled)Password Never ExpiresNo MFAExcluded from all Conditional Access policiesCloud-only (not synced from on-prem AD)Does not use federated loginDoes not use custom domain (has a *. address)System owner for Azure ADThe system owner for Azure AD should always be notified before activating the Break Glass routine.System ownerNameList of Approved AdminsOnly approved global administrators in the following list are authorized to use these break glass accounts and only in an emergency.NameEmailPhoneBreak Glass RoutineIn case of an emergency, the routine is carried out according to the following steps:The system owner for Azure AD is notified of the situation and that a break glass account will be used.The account password is retrieved from secure storage (fireproof safe) and the end envelope is broken.Login with username and password is performed against and remediation.The password is again placed in a sealed envelope and stored in its secure location again.System owner is notified that the routine is completed.This routine should be practiced regularly (every 90th day).Monitoring of Break Glass AccountsThe break glass account is monitored with alerts and all global admins receive email alerts during account activity. When an alert is triggered, the cause must be examined, and the account may need to be renamed and the password changed.Guidelines from MicrosoftManage emergency access accounts in Azure AD: ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- introduction to gail industries university of phoenix
- user acceptance testing checklist
- questions and answers veterans affairs
- cabarrus county schools
- mrs schroyer
- background ovic office of the victorian information
- system design document template veterans affairs
- rfp 28187 kk uc consulting and managed services
- issaquah connect
Related searches
- wordpress passing data between pages
- wordpress business templates
- wordpress rss feed not working
- wordpress jquery is not defined
- create wordpress blog
- wordpress roles editor
- wordpress full rss feed
- wordpress rss feed settings
- wordpress rss feed plugin
- wordpress display rss feed
- wordpress rss feed link
- wordpress rss feed to post