Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Reply
Level 3 Contributor

Break the Glass Admin no longer compliant?

At Microsoft Ignite 2018 (see attached) they recommended that we setup a "Break the glass" admin in case MFA should be unavalible. With the new requierments to the Partner Portal requiering ALL users to have MFA enabled do we no longer have the option for a break the glass admin for partners? We can still set this up for client domain but the question is for partners.

33 REPLIES 33
Level 2 Contributor

Hi, @JanoschUlmer

We are a small MSP.  There are some service accounts that are used for helpdesk tickets and other things that are incoming.  Will the baseline polices prevent those from working, and is there additonal setup required for them to function with 2FA?  For example, we use Connectwise, and tickets come through helpdesk@example.com, and another mailbox is set for voicemails.  And just so I understand correctly, to put in place a Break Glass admin, you can't use the baseline policies, but must make your own.  Is that correct?

Microsoft

@Dsonnier : Specifically for ConnectWise another user has posted some information from the vendor (Can't find the post currently):

https://docs.connectwise.com/ConnectWise_Documentation/ConnectWise_Unified_Product/Supportability_Statements_for_ConnectWise_Unified_Product/Microsoft_Partner_Security_Requirements_and_Impact_to_ConnectWise_Products_FAQ

 

For access to mailboxes via SMTP/IMAP you can use app passwords as alternative solution. You can enable both baseline policies and configure MFA per user to use app passwords - but you would need to have additional licenses (O365 E3, AAD Premium P1) to enable MFA per user.

 

For emergency accounts - when using the baseline policies all admin would go through the same enforcement. Baseline policies still allow to have multiple Microsoft authenticator registration to not rely on a single mobile phone only (So allows to have a "break glass token device") - but in order to use two different MFA services you would need to create your own conditional access policies or enable MFA per user and not enable baseline policies. 

Generally it is not possible to exclude an admin from MFA altogether, so not all of the recommendations for emergency accounts can be applied when the Partner Center Security requirements apply to this tenant.

 

Level 2 Contributor

Thanks for the detailed reply.  That will help tremednously.  I'm looking over the Connectwise documentation now.  As far as AAD P1 regarding MFA, is that a per user license, or does it cover the tenant as a whole?

Microsoft

License is per user. Technically a single license in the tenant will make it possible to enable MFA for any/all user(s), but still the licensing requiremnt is that every user that benefits of the service/feature will need a license.

Level 1 Contributor

I have enabled the "Baseline policy: Require MFA for admins (Preview)", when I login using a "Global Administrator" level user, I get the MFA request. My question is, when I go to Azure Active Directory Admin Center|Users|Multi-Factor Authentication and look up the user, it shows "Multi-Factor Auth Status" as Disabled. Is this normal?

 

Thanks, Brent

Moderator

Hi @brentmo

 

Yes, this is the expected behavior. The difference is that you have enabled a conditional access policy that requires MFA, and the MFA portal that you are referencing is used for managing MFA per-user.  

Level 1 Contributor

The Azure UI recommends to exclude at least one admin from the MFA baseline policy to not loose access. The documentation has a screenshot that displays a blade based option to select excluded admins. This selection is not available in my tenant.

How do I configure exclusions and how to exclusion affect the CSP delegated admin status in fall?

-Thomas

Level 4 Contributor

The baseline policy does not permit exclusions. You can upgrade to AADP1 or AADP2 for this added functionality. We are currently waiting official confirmation of if exclusions are considered compliant. I believe the last thing I heard from a community call is that using exclusions are considered non-compliant, but don't quote me on that!

Level 1 Contributor

This is interesting. My tenant is an Azure AD P2 tenant.

But as mentioned, the documentation and the Azure AD UI states that you should add exclusions. But it does not provide any information for additional AAD P* licenses required.

-Thomas

Microsoft

The baseline policies were updated recently and do not allow for exclusions anymore - so the screenshots in the documentation are a bit outdated (the documentation was last updated on June 26, but the baseline policies changed this after June 28).

When you have AAD P1/P2 you can create your own conditional access policies mimicing the baseline policies - within the baseline policies even a tenant with P1/P2 plans will not show exclusions.

Level 1 Contributor

would be nice to get an official answer on if break glass accounts are supported or not in this new  "MFA for everyone" scenario.

Moderator

Partners who are using the baseline protection policies will not be able to create a break glass account. It is not possible because you cannot exclude an account from protection of these policies. However, a break glass account could be redefined as a dedicated account with a dedicated second factor authenticator instance, with appropriate associated monitoring, and it can then be used. Additional information regarding this topic, and numerous others, will be incorporated into our documentation in the coming days. 
Level 1 Contributor

So Isaiah, is it still impossible to create a "Break the Glass" account for those of us partners who are going to have to use the "baseline protection policy"? Is the MS policy going to be to not provide a means for creating the "Break the Glass" accounts, even though it's the stated best practice according to the Manage emergency access accounts in Azure AD article?

 

If it is going to be MS policy to provide a means for creating a "Break the Glass" account, where is this documented?

 

Jeff Williams

Level 1 Contributor

Sorry, I should have tagged the MS employees who have been answering on this: @idwilliams @JanoschUlmer 

 

Is it still impossible to create a "Break the Glass" account for those of us partners who are going to have to use the "baseline protection policy"? Is the MS policy going to be to not provide a means for creating the "Break the Glass" accounts, even though it's the stated best practice according to the Manage emergency access accounts in Azure AD article?

 

If it is going to be MS policy to provide a means for creating a "Break the Glass" account, where is this documented?

Microsoft

@WilliamsJD : The issue of break-glass accounts has now been included in the FAQ: https://docs.microsoft.com/en-us/partner-center/partner-security-requirements-faq#how-do-i-configure-an-emergency-access-break-glass-account 

 

The baseline policy does not allow to set exclusions or implement different MFA providers as suggested in the FAQ, so AzureAD Premium Plan1 is required for this scenario. 

Level 1 Contributor

Would Azure AD Premium plan be needed for all users or just the "break the glass" account to be excluded from baseline policies?

Microsoft

It would be required for all users - since for this scenario baseline policies could not be used at all. 

Baseline policies do not allow to set exclusions, so if you would enforce a 3rd party MFA via a custom control in conditional access for one user, and baseline policy would still be active, this user would need to do fulfill requirements from both policies. 

So instead you need to create your own conditional access policies for all users - one policy for using Azure MFA, one for 3rd party MFA.

You could also work with Office 365 E1/E3 licenses + only a few AAD Premium P1 - for all users with Office365  licenses you could enable MFA per user and only use one conditional access policy with with custom control/3rd party MFA for some of the admins that have an AAD P1 license assigned.

Level 1 Contributor

Thanks for the reply @JanoschUlmer. So if I turn on the baseline policies without a "Break the Glass" account and then something breaks about MFA what is the recovery procedure?

Microsoft

@WilliamsJD : It would be the same "recovery" as if AzureAD itself would break - the only remaining option is to open a support ticket to report problems with MFA and then wait until MFA is restored. 

 

Even when using baseline policies you are still able to use different/multiple authenticator apps (And btw - it was just confirmend that also 3rd party TOTP work like e.g. authy.com) - so at least you can avoid that "something" that breaks is a certain device/account/installation of the token app. But for the service itself there would be no recovery procedure, similar to issues in AzureAD.

 

Level 2 Contributor

Thanks @idwilliams I am very eager to read this documentation so i look forward to it being released in the coming days. 

 

This deadline of 1st of August is very close and we are still awaiting for things to be confirmed by Microsoft like App Passwords for Legacy connections that will be required post 1st of August and also the Break Glass scenario for Admin accounts. Does Microsoft have any plan to extend the 1st of August deadline to allow partners to test these solutions?? If they are not going to extend the deadline are they going to relax it at all so that we can have our own Conditional Access policies that we have some exclusions in place for Break Glass accounts and Service accounts that are performing Legacy Connections for a grace period?

 

As someone who will need to implement this for my organization it is very confusing when you have some material advising things like:

 

https://docs.microsoft.com/en-au/partner-center/partner-security-requirements

Considerations

Because the security requirements apply to all users in a partner directory, several considerations need to be made to ensure a smooth deployment. These considerations include identifying users in Azure Active Directory that cannot or should not perform MFA, as well as applications and clients used by your organization that do not support modern authentication.

 

Which gives you the impression that you can have exclusions for users that cannot perform MFA (like Legacy connections) then you have other sources advising that you will need to have MFA enforced on all accounts.

 

Thanks,

Micheal