Listen to this Post
In Microsoft Entra ID (formerly Azure AD), break glass accounts serve as your emergency access path when normal administrative channels are unavailable. These critical accounts need special handling – particularly when it comes to Conditional Access Policies (CAPs). While CAPs are essential for securing your environment, they can inadvertently lock out your emergency access accounts during a crisis if not properly configured.
The challenge many organizations face is maintaining visibility into whether break glass accounts remain properly excluded from restrictive policies as CAPs evolve over time. A single policy update could inadvertently subject a break glass account to MFA requirements, IP restrictions, or other controls that might render it unusable during an emergency.
The latest addition to ConditionalAccessIQ – Invoke-CAIQBreakGlassAssessment – directly addresses this critical security concern. This new functionality provides a simple way to verify that your emergency access accounts remain properly excluded from all Conditional Access policies.
You Should Know:
To effectively monitor and manage break glass accounts in Microsoft Entra ID, you can use PowerShell commands and scripts. Below are some practical steps and commands to help you ensure your break glass accounts are properly excluded from Conditional Access Policies.
1. Install the ConditionalAccessIQ Module:
Install-Module -Name ConditionalAccessIQ -Force -Scope CurrentUser
2. Import the Module:
Import-Module ConditionalAccessIQ
3. Run the Break Glass Assessment:
Invoke-CAIQBreakGlassAssessment -TenantId "your-tenant-id" -BreakGlassAccount "[email protected]"
4. Check the Results:
The command will output a detailed report showing whether the break glass account is excluded from all Conditional Access Policies. If any policies are found that include the break glass account, you will need to update those policies to exclude the account.
5. Update Conditional Access Policies:
If you find that your break glass account is not properly excluded, you can update the policy using the following command:
Set-AzureADMSConditionalAccessPolicy -PolicyId "policy-id" -ExcludeUsers @("[email protected]")
6. Automate Regular Checks:
To ensure ongoing compliance, you can automate the break glass assessment by scheduling a PowerShell script to run at regular intervals. Here’s an example script:
$tenantId = "your-tenant-id" $breakGlassAccount = "[email protected]" $report = Invoke-CAIQBreakGlassAssessment -TenantId $tenantId -BreakGlassAccount $breakGlassAccount if ($report.NonCompliantPolicies.Count -gt 0) { Send-MailMessage -To "[email protected]" -From "[email protected]" -Subject "Break Glass Account Policy Check Failed" -Body $report }
What Undercode Say:
Ensuring that your break glass accounts are properly excluded from Conditional Access Policies is crucial for maintaining emergency access to your Microsoft Entra ID environment. By using PowerShell and the ConditionalAccessIQ module, you can automate the monitoring and management of these critical accounts, reducing the risk of being locked out during an emergency. Regularly running the `Invoke-CAIQBreakGlassAssessment` command and updating policies as needed will help you maintain a secure and resilient access management strategy.
Additional Resources:
- ConditionalAccessIQ GitHub Repository
- Substack on Break Glass Accounts
- Blog Post on Conditional Access Policies
References:
Reported By: Gabe Delaney – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
