Posted by Dana Epp
Azure MFA: How to NOT get locked out
So recently I was talking with someone who got locked out of the Microsoft Cloud because her multifactor authentication (MFA) configuration got corrupted and wouldn’t let her login. As she was the only admin for the tenant she had no easy way to get back into her account. Tough place to be in.
It reminded me of some advice I gave a customer last year that helped them avoid this issue and saved their bacon 🥓 when a major MFA outage occurred in Azure and they had to get in to allow staff to approve a major deal worth millions.
Wanna know what I told them? Check out the latest episode of #KnowOps below. Don’t forget to subscribe to the KnowOps channel and get early access to the loads of other information to help you master the Microsoft cloud by signing up for the KnowOps Newsletter.
So a few weeks ago, someone shared with me an experience they had where they got locked out of Azure Active Directory, because their MFA configuration got corrupted. As the only administrator in that tenant, they thought they were pretty much screwed. That got me thinking about some advice I gave a customer about a year ago, that actually helped them during a major MFA outage, so that they could get back into their tenant and get their people working, and they had to get into their tenant to approve a multimillion dollar deal. So I thought maybe in this video, we'd talk about the advice I gave them. Who knows, might save your butt some day too.
Dana Epp here. Welcome to the show that helps you get to know ops, and, well, master your Microsoft Cloud environment.
It doesn't matter if you're using Azure Advisor or looking at Microsoft Secure Score, they're both gonna provide recommendations that your global administrator accounts should have MFA, or multi factor authentication, turned on. That's great advice, but what happens if MFA's down? How do you get logged in? How do your people get back to work, if you can't actually get into the system? My recommendation is that you always have a minimum of two global administrator accounts, and that one of them actually doesn't have MFA turned on, which kind of goes against the guidance and the recommendations that you're getting, but there's a reason for it. That account then allows us to get into the system if there's ever an outage and we need to get in.
Now, because of that, that account has to have a highly complex password. I recommend that you actually physically secure that thing. Write it down, put it in an envelope, normally I'll seal that envelope, and sign my name across the seal to make sure it hasn't been tampered with. Then on the front of it, I provide instructions on who's authorized to open it in case of an emergency. That's actually just good advice anyways, because for business contingency planning, having a global admin account that the company has access to when needed is quite useful, so that if I was to leave the organization, or God forbid, I'm hurt or sick and can't get in, we have instructions, in our case for the board of directors to authorize someone to have access to that credential if needed. Then we store that away in a company safe and we're in a much better place to be in.
Admin accounts without MFA is risky, I get that. So it's really important that you're monitoring when that account is used. So turn on Azure Monitoring and audit for when that account is logged in. Even better, go turn on the action groups and make sure all administrators are part of it so they all can be broadcast simultaneously when that account is used. So everyone knows that something's going on, and an emergency account's been in process. Also, that's a great opportunity to have everyone hold each other accountable in making sure you update that credential once it's been used, and placed back in the safe so that you always have a strong cred that it's not being generally used. If you have Azure AD Premium, take advantage of conditional access policies. Things like location awareness or device trust allow you to isolate and reduce that risk even further, and provides an even better mechanism to lock down how, when, and who can access that credential.
One tip though, don't try to lock it down to a single IP address, unless you have complete control of that. Cause in an emergency situation, where you might not be at that specific IP, you might still need to have access. Alternatively, consider using things like jump servers or other capabilities where you know you have access to that and that can help isolate and control who, how, and when that credential can be used.
So here's a little twist to the story. That administrator that got locked out. I asked her a little bit more about what went on and how it all happened, and she's part of a small consultancy firm and she's the only administrator, so she kind of got in her own predicament because there was no one else there to unlock her. But what was more interesting was, when I dug a little deeper, what she told me was that she thought that admin accounts required licenses, and, well, licenses cost more money, and she didn't think that was appropriate for just having access, and so she had the global admin account tied to her, and well, first off, that's a really bad idea.
You should never have global admins as normal login users. You shouldn't be using that for your daily access. Your Office 365 licenses and whatnot should be tied to you, your user account, not your administrative account. And you shouldn't be doing daily administration with that account. Global administrators should be used for just doing administration, and that shouldn't have any licenses tied to it at all. And here's the good news: there's no cost to that. Even more importantly, there's no cost for MFA for global administrators in that way. So, well, of course you're not going to apply MFA to that one emergency account so it doesn't really matter anyways, but global admin accounts are always free.
So while I do advise that this one emergency admin account doesn't have MFA, all you other accounts should. And if you don't have that set up yet, you really need to do it. You really can make this frictionless and make it easier on the administrators, you don't have to enforce it, it wasn't like a decade ago where it was so cumbersome in having a boatload anchor of physical tokens, was just not a good time for us as administrators. But nowadays you can use things like conditional access policies and push technologies so it becomes really trivial to make strong identification practical for administrators. Combine that with things like device trust, you're not enforcing it every single time unless you choose to, which is always a very powerful and useful thing. Honestly, it's not that hard. Check this out... See, it really can't get much easier.
Actually, that's not true. You can actually have it push right to your watch. Check this out... It's really that easy. So in summary, always have a minimum of two global administrator accounts, I usually recommend no more than five, and one of those accounts should have MFA turned off. That way you can get in in case of an emergency. You gotta make sure that account is highly monitored because you need to be aware when it's used, and, in the end, this might save your butt, if you have to get in and MFA is not available to you.
So that administrator that got locked out, well here's the ending to that story. She had to work with Microsoft support for over four days before she got back into her account. And because she used that global admin account as also her regular account, that meant she couldn't use the Microsoft Cloud or Azure for that period of time. It was a huge business disruption for her. And it was a huge headache, and at the end of the day, this all could have been avoided, had she had that emergency account.
I'm curious, how do you handle global admin access? Let me know in the comments, and let me know if this advice resonates with you. Does it make sense, do you have a better way? If you do, share that in the comments as well. It's the whole point of the KnowOps community. It's so we can learn from each other and get better as administrators. In the meantime, thanks for watching, smash the subscribe button, hit like or unlike, hey you know what, it's good feedback either way. And make sure you subscribe to the KnowOps newsletter. Each week, we'll send information about each one of these episodes as well as other tips and tricks and links to other things that make us better administrators and master the Microsoft Cloud. Until then, we'll see you in the next episode.
You should never have global admins as normal login users. You shouldn't be using that for your daily access. #knowops @auditwolf