A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Breadcrumb Home Insights Source Zero Updated Guidance for Entra ID Emergency Access Accounts (EAAs) December 05, 2024 Updated Guidance for Entra ID Emergency Access Accounts (EAAs) As of July 2024, Microsoft has started introducing new security measures at the tenant level that mandate multifactor authentication (MFA) for all users who access certain sensitive resources, such as the Azure portal or Entra admin center. These changes will take effect in a phased approach and are documented by Microsoft on Microsoft Learn. Security Default Change Enforcement Timeline Application Name App ID Enforcement Phase Azure portal c44b4083-3bb0-49c1-b47d-974e53cbdf3c Second half of 2024 Microsoft Entra admin center c44b4083-3bb0-49c1-b47d-974e53cbdf3c Second half of 2024 Microsoft Intune admin center c44b4083-3bb0-49c1-b47d-974e53cbdf3c Second half of 2024 Microsoft 365 admin center 00000006-0000-0ff1-ce00-000000000000 Early 2025 Azure command-line interface (CLI) 04b07795-8ddb-461a-bbee-02f9e1bf7b46 Early 2025 Azure PowerShell 1950a258-227b-4e31-a9cf-717495945fc2 Early 2025 Azure mobile app 0c1307d4-29d6-4389-a11c-5cbe7f65d7fa Early 2025 Infrastructure as Code (IaC) tools Use Azure CLI or Azure PowerShell IDs Early 2025 This security measure is an excellent step forward by Microsoft in ensuring the security of all M365 and Azure customers. This does, however, come with the risk of certain accounts such as emergency access aka “break-glass” accounts not functioning if authentication methods for these accounts are not updated to meet the criteria of the new security defaults. It is strongly recommended that emergency access accounts (EAAs) be updated to use FIDO2 or certificate-based authentication as an MFA factor to satisfy the new tenant-level security measures, in addition to complex passwords. A Common Misunderstanding About MFA on Admin Accounts One of the most common misunderstandings that I have encountered from some of our clients who use Entra ID and M365 stems from a misunderstanding of Microsoft’s documentation for EAAs. In the documentation, it is advised to “exclude at least one account from conditional access policies.” The intention of this guidance is to ensure that organizations have a dedicated EAA single-factor admin account with a unique and complex password written down somewhere secure, which are only used for emergencies (i.e., as an MFA or federation services outage, or some other outage or disaster that would prevent admins from authenticating). Some have misinterpreted this to mean that all global admins should be excluded from MFA. This misunderstanding has led to security incidents where an admin was compromised, MFA was not enforced and it then became incredibly trivial for the TA to do nearly whatever they want in the customer’s tenant, as they were now a global admin. Previously, it was recommended that only EAAs be excluded from MFA, and that those accounts would be never used and monitored for suspicious login events. The new guidance is to ensure that EAAs have FIDO2 or certificate-based authentication enabled as an MFA factor and to no longer exclude any admin account from MFA for any reason. Updated Best Practices for Emergency Access Accounts It is important to secure EAAs with strong authentication methods. The best current practices from Microsoft’s documentation are available on Microsoft Learn. it is very important for organizations who rely on Microsoft 365 or Azure services take the following measures to ensure that they meet best current practices and are never locked out of their tenant in an emergency: Switch EAAs to use FIDO2 devices or certificate-based authentication as MFA factors. As of October 15, 2024, unless your organization has opted for the 1-year exemption to security defaults, single-factor authentication will fail on accounts that attempt to access the applications in phase 1 as per the change timeline provided by Microsoft. If the account has a password, write it down on paper and store it in a fireproof safe or other secure location. If you’re using a FIDO2 device or certificate-based authentication, store the devices in the safe as well. Ensure the EAAs are not dependent on an individual employee. Access to these accounts should be documented in your disaster recovery plan (DRP). Create a minimum of two EAAs. Store them in physically separate locations in case of a fire, earthquake or other disaster. EAAs should be cloud-only accounts that use the *.onmicrosoft.com domain and that are not federated or synchronized from an on-premises or other environment. In Microsoft Entra Privileged Identity Management, permanently assign the global administrator role to the EAA. If you use ADFS or other solutions to federate identity providers, make sure that you have separate EAAs for each solution. Chaining together EAAs as a sort of “master key” poses unnecessary risk that could cause your EAA to not function during an outage or disaster. Monitor and alert on all sign-ins from EAAs. Every single login from an EAA should be alerted on and investigated promptly. As these accounts are never supposed to be used, the alert volume should be very low and only trigger during DR testing. Test EAAs during your DR testing. Failure to plan is a plan to fail. By: Justin Safa Digital Forensics and Incident Response Consultant | Optiv Justin Safa is a Digital Forensics and Incident Response Consultant at Optiv on our Enterprise Incident Management Team. Justin is a Subject Matter Expert in Microsoft 365, Cisco Security, Carbon Black, Sentinel One and a variety of other technologies. Justin has led many Incident Response Engagements involving Ransomware, Targeted Attacks, Zero-Days and other Sophisticated Threats. Justin has worked for a diverse range of Clients in various industries including various levels of government and the Fortune 500. Share: Source Zero® Blue Team Cybersecurity Microsoft Azure AD multifactor authentication MFA Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Would you like to speak to an advisor? Let's Talk Cybersecurity Provide your contact information and we will follow-up shortly. Let's Browse Cybersecurity Just looking? Explore how Optiv serves its ~6,000 clients. Show me AI Security Solutions Show me the Optiv brochure Take me to Optiv's Events page Browse all Services