Emergency Access Made Easy: Implementing the Microsoft Break Glass Account
What is Microsoft Break Glass Account ?
The Microsoft Break Glass Account is a unique type of account used for emergency situations where access to critical Azure resources is needed, even when normal access controls cannot be used. The name “break glass” is a metaphor for a situation where one has to break a glass case to get to an emergency tool.
The Break Glass Account is specifically designed to be used as a last-resort method of gaining access to critical resources in emergency situations when other methods are not available. The account is usually only accessible by certain security administrators who have been granted specific permissions to use it.
The Break Glass Account is typically used to access important Azure resources like virtual machines, databases, and storage accounts in emergency situations. This is an essential security feature that enables rapid access to critical resources, while still ensuring high levels of security and access control. The account is closely monitored to prevent any misuse, and is generally locked down until it is required for a specific emergency situation.
Requirements:
- Microsoft Azure Premium Plan 1 (For sending to Log Analytics Workspace).
- Azure Subscription (For monitoring account)
General steps for implementation are:
- Create Break Glass User Account.
- Create Azure resource group and Log Analytics workspace.
- Send Sign In Logs to Log Analytics workspace.
- Create alert when account is used.
- Test.
How to create and monitor Break Glass Account ?
Create “Break Glass Account”.
Save Object ID of created user.
Create resource group which will contain all resources needed for configuring break glass account.
Create Log Analytics workspace.
Navigate to diagnostic settings. Azure Active Directory -> Monitoring -> Diagnostic Settings
Add diagnostic settings and send Sign In Logs to Log Analytics Workspace.
Navigate to Log Analytics Workspace and create alert rule.
Add condition and query for rule detection. Select appropriate signal – Custom log search.
Write a query. Query will detect when users signs to Microsoft Cloud Services. Choose previously saved ObjectID of user.
Inside measurement settings define appropriate settings.
- Aggregation granularity: The time granularity allows you to adjust the “signal-to-noise” ratio on a chart. Higher aggregations remove noise and smooth out spikes
Create alert logic. In this example alert will be fired when user logs to account.
- Operator: Compare the metric value against the threshold
- Frequency of evaluation: How often the alert rule should run. If the frequency is smaller than the aggregation granularity, this will result in sliding window evaluation.
Create action group. The purpose of action group is to notify when alert is triggered.
Choose notification type and name.
Create rule details.
- Severity: The severity of the alert when the rule’s condition is met
After creation wait 10-15 minutes then Log to Azure with Microsoft Break Glass Account.
Result: