Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 3 Contributor

Break the Glass Admin no longer compliant?

At Microsoft Ignite 2018 (see attached) they recommended that we setup a "Break the glass" admin in case MFA should be unavalible. With the new requierments to the Partner Portal requiering ALL users to have MFA enabled do we no longer have the option for a break the glass admin for partners? We can still set this up for client domain but the question is for partners.

33 REPLIES 33
Highlighted
Level 3 Contributor

Re: Break the Glass Admin no longer compliant?

Definitely good point. We use at least CA rule to only allow from emergency location. But it seems that this will also not satisfy this.

Level 3 Contributor

Re: Break the Glass Admin no longer compliant?

Level 1 Contributor

Exclude admin from baseline policy

The Azure UI recommends to exclude at least one admin from the MFA baseline policy to not loose access. The documentation has a screenshot that displays a blade based option to select excluded admins. This selection is not available in my tenant.

How do I configure exclusions and how to exclusion affect the CSP delegated admin status in fall?

-Thomas

Visitor 1

Re: Break the Glass Admin no longer compliant?

We have the exact same problem... From the baseline policy documentation, it seems like there should be an exclude functionality there, but it's not present in any of our tenants. 

We have made two new policies that does the same thing as the baseline policies... 

 

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-baseline-protect-administrators 

Level 4 Contributor

Re: Exclude admin from baseline policy

The baseline policy does not permit exclusions. You can upgrade to AADP1 or AADP2 for this added functionality. We are currently waiting official confirmation of if exclusions are considered compliant. I believe the last thing I heard from a community call is that using exclusions are considered non-compliant, but don't quote me on that!

Level 2 Contributor

Re: Break the Glass Admin no longer compliant?

Can you provide a quick guide/screenshots of which settings you chose to setup 2 policies equiliant to the PREVIEW policies - but with EXCLUSION possibilities

Level 1 Contributor

Re: Break the Glass Admin no longer compliant?

would be nice to get an official answer on if break glass accounts are supported or not in this new  "MFA for everyone" scenario.

Level 1 Contributor

Re: Exclude admin from baseline policy

This is interesting. My tenant is an Azure AD P2 tenant.

But as mentioned, the documentation and the Azure AD UI states that you should add exclusions. But it does not provide any information for additional AAD P* licenses required.

-Thomas

Microsoft

Re: Exclude admin from baseline policy

The baseline policies were updated recently and do not allow for exclusions anymore - so the screenshots in the documentation are a bit outdated (the documentation was last updated on June 26, but the baseline policies changed this after June 28).

When you have AAD P1/P2 you can create your own conditional access policies mimicing the baseline policies - within the baseline policies even a tenant with P1/P2 plans will not show exclusions.

Microsoft

Re: Break the Glass Admin no longer compliant?

Partners who are using the baseline protection policies will not be able to create a break glass account. It is not possible because you cannot exclude an account from protection of these policies. However, a break glass account could be redefined as a dedicated account with a dedicated second factor authenticator instance, with appropriate associated monitoring, and it can then be used. Additional information regarding this topic, and numerous others, will be incorporated into our documentation in the coming days. 

Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 2 Contributor

Re: Break the Glass Admin no longer compliant?

Thanks @idwilliams I am very eager to read this documentation so i look forward to it being released in the coming days. 

 

This deadline of 1st of August is very close and we are still awaiting for things to be confirmed by Microsoft like App Passwords for Legacy connections that will be required post 1st of August and also the Break Glass scenario for Admin accounts. Does Microsoft have any plan to extend the 1st of August deadline to allow partners to test these solutions?? If they are not going to extend the deadline are they going to relax it at all so that we can have our own Conditional Access policies that we have some exclusions in place for Break Glass accounts and Service accounts that are performing Legacy Connections for a grace period?

 

As someone who will need to implement this for my organization it is very confusing when you have some material advising things like:

 

https://docs.microsoft.com/en-au/partner-center/partner-security-requirements

Considerations

Because the security requirements apply to all users in a partner directory, several considerations need to be made to ensure a smooth deployment. These considerations include identifying users in Azure Active Directory that cannot or should not perform MFA, as well as applications and clients used by your organization that do not support modern authentication.

 

Which gives you the impression that you can have exclusions for users that cannot perform MFA (like Legacy connections) then you have other sources advising that you will need to have MFA enforced on all accounts.

 

Thanks,

Micheal

Microsoft

Re: Break the Glass Admin no longer compliant?

Hi @MVolker,

 

I can confirm that you can use app passwords for devices and services that do not support modern authentication. However, when using app password you should consider the important points documented here

 

Thank you for sharing the feedback regarding the documentation. I am currently working on incorporating information regarding the support for app passwords and various other topics. As the updates are being made I will work to remove the ambiguity that you mentioned.


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 2 Contributor

Re: Break the Glass Admin no longer compliant?

@idwilliams 

 

You said that App Passwords are allowed but I know they are not able to be used with Conditional Access policies. Am I correct in assuming that we are allowed to enforce MFA by changing user states in the Azure Multi-Factor Authentication portal, provided that we enforce for all users?

 

Link for what I am talking about: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates#enable-azure-mfa-by-changing-user-state

Level 1 Contributor

Re: Break the Glass Admin no longer compliant?

We're planning to implement a CA policy requiring MFA for all users (including Guests), except the accounts that we need to use app passwords for (e.g. our ticketing system and our multi-functional printers). Those accounts will have their user state set to Enabled in the Azure MFA portal, and will be using an app password to authenticate.

 

This way we'll still have the 100% coverage the new security requirement calls for and be in compliance (I hope).

Microsoft

Re: Break the Glass Admin no longer compliant?

@TomR : Yes, MFA can also be enforced by changing the user state. You can also mix - so enabling MFA per user for some users, and enforcing MFA for others with conditional access rules.

Level 1 Contributor

Baseline policy: Require MFA for admins

I have enabled the "Baseline policy: Require MFA for admins (Preview)", when I login using a "Global Administrator" level user, I get the MFA request. My question is, when I go to Azure Active Directory Admin Center|Users|Multi-Factor Authentication and look up the user, it shows "Multi-Factor Auth Status" as Disabled. Is this normal?

 

Thanks, Brent

Microsoft

Re: Baseline policy: Require MFA for admins

Hi @brentmo

 

Yes, this is the expected behavior. The difference is that you have enabled a conditional access policy that requires MFA, and the MFA portal that you are referencing is used for managing MFA per-user.  


Isaiah Williams
Cloud Technology Strategist | US – One Commercial Partner
Level 2 Contributor

Re: Break the Glass Admin no longer compliant?

So to be clear, we do not need to use the Baseline CA policies to meet these requirements? Are we still allowed to use Trusted Locations in the MFA settings, or will those go away or need to be turned off?

 

I'm really curious to know how Microsoft will be confirming that we are "compliant", because even though I have had a CA policy for months that requires MFA for All Apps for All Guests in our tenant, my Secure Score is still really low because it apparently doesn't recognize that as enforcing MFA, even though it is.

Microsoft

Re: Break the Glass Admin no longer compliant?

@kcears : No, baseline policies are not needed if you use other means to enforce MFA. Trusted locations exclusion is not allowed.

See also here for an updated FAQ:  https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq

 

No info on how technical compliance will be enforced yet.

Level 1 Contributor

Re: Break the Glass Admin no longer compliant?

Jason, A few weeks ago you wrote "MFA can also be enforced by changing the user state. You can also mix - so enabling MFA per user for some users, and enforcing MFA for others with conditional access rules."  

 

Does this require an Azure Premium license?  If not, how do you mix given that conditional access exclusions are not available?

Level 1 Contributor

Re: Break the Glass Admin no longer compliant?

Sorry, that last question was intended for 

Microsoft

Re: Break the Glass Admin no longer compliant?

@simplepowerit : Yes, creating your own conditional access rules requires AAD Premium Plan1, MFA per user is also available when licensing Office365 E3. So in this scenario you would not use the baseline policies, but only create CA rules yourself where you are able to set exclusions and choose MFA as control.

 

Level 1 Contributor

Re: Break the Glass Admin no longer compliant?

So Isaiah, is it still impossible to create a "Break the Glass" account for those of us partners who are going to have to use the "baseline protection policy"? Is the MS policy going to be to not provide a means for creating the "Break the Glass" accounts, even though it's the stated best practice according to the Manage emergency access accounts in Azure AD article?

 

If it is going to be MS policy to provide a means for creating a "Break the Glass" account, where is this documented?

 

Jeff Williams

Level 1 Contributor

Re: Break the Glass Admin no longer compliant?

Sorry, I should have tagged the MS employees who have been answering on this: @idwilliams @JanoschUlmer 

 

Is it still impossible to create a "Break the Glass" account for those of us partners who are going to have to use the "baseline protection policy"? Is the MS policy going to be to not provide a means for creating the "Break the Glass" accounts, even though it's the stated best practice according to the Manage emergency access accounts in Azure AD article?

 

If it is going to be MS policy to provide a means for creating a "Break the Glass" account, where is this documented?