Exclude Emergency Access account from Security Defaults
Microsoft has done a great job by releasing security defaults, however it's lacking the ability to exclude a single emergency access account. As per https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access one of Microsoft's best practices for Azure Active Directory (Azure AD) is to have a cloud-only emergency access account which is excluded from MFA.
This is similar to the built-in Administrator account in traditional Active Directory, without the ability to exclude a single account most organizations without AAD P1 licensing will simply leave security defaults turned off.
If we want fine grained exclusions or multiple emergency access accounts it would then make sense to purchase AAD1 P1 licenses and configure Conditional Access.
I found this article below, if that setup with an Azure AD App Registration remains fully supported towards the future alongside with Microsft Security Defaults, then this problem seems to be fixed for all that can wield the power of PowerShell?
Definitely required, at least for one account. I wonder if the MFA trusted IPs are honored by security defaults? If so, at least you could bypass the MFA requirement from the office even though it was enabled on the account.
Shim Kwan commented
Just looking for an update on this thread?
When Security Defaults are enabled, is there a way to exclude Break-Glass-Accounts and/or Service Accounts from MFA...or must we still rely on Conditional Access to achieve this recommended Best Practice?
Basic security on a b2c tenant that must immediately be disabled when using automation for advanced things like OAUTH permissions granting :(
Jakub Bereżański commented
According to Microsoft emergency access guidelines (https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access ), ideally there should be two or more such accounts. So the Security Defaults feature should support excluding any number of accounts, not just a single one.
Jetze Mellema commented
Security Defaults are a great feature, but we require a break glass account. This means I have to disable the default and create custom Conditional Access rules and potentially make errors and weaken the security posture.
Great idea to encourage adoption of Security Defaults and by explicitly designating an emergency access account in AD, Microsoft can put controls, alerts and auditing around the account to help organisations ensure it is used for emergencies only.
Erik Duensing commented
Maxim Sokolov commented
adding my vote
Agreed, this is a requirement for break glass
Rich Lusk commented
I agree with Jake. I have customers that can't afford Azure AD Premium but still need to be able to create a Break Glass account without MFA on it. It would be easier on all Microsoft CSPs if Conditional Access Policies were available to all tenants.
Tero Pihlaja commented
We have similar requirements as Lasse already raised. We need to have some service accounts without MFA.
Lasse Thomsen commented
We do use MFA for all users and Admins, but we do have some service accounts and a Break Glass account all with long complex passwords that we don't what to have MFA on. An easy way for an Admin to generate a meaningful report on the usage of these non-MFA accounts would be helpful.
Ohh and one more thing, if you are serious about security- you should never have to pay for security! It must come as standard!
Pat DiPersia commented
I agree with Jake. We need a way to exclude our break glass account, especially since this is a best practice from Microsoft. Paying for conditional access to do this right shouldn't be the case.
Additionally, I'm not sure I agree with the push notifications to the Microsoft Auth app being the ONLY way to log in. I find the 6 digit rolling code to be much more secure. We can educate users all we want - but I can guarantee users WILL push approve if a hacker gets their credentials because they simply don't read or think sometimes.
I just read up on security defaults and I wanted to post this somewhere, 'Well done!' on making this a standard for all accounts. At one point in order to get MFA you had purchase an AD Premium and I remember posting some feedback that you should never have to pay for security. So, bravo on making this move to make it simple and effective for all accounts to be protected and not charging for it. I agree too that setting up one account to exclude for emergency access would be nice. I know that I can go through the process of setting up in conditional access but the exception account would make it convenient to not have to go through that process, or to be concerned that I might not set it up right since I don't do that every day.
Waters, Jeremy commented
Furthermore, if you want to follow Microsoft best practices, and exclude your emergency access account(s) from MFA, and therefore disable Security Defaults, and create your own Conditional Access policy, then you also will have lost the Unified MFA Registration feature of Security Defaults. To make up for that, you need to pony up to P2 for your users - so that you can turn this back on in Identity Protection. Ouch!
Jason Hartman commented
1000% Yes. We need the ability to exclude certain service accounts and break-glass accounts from Security Defaults. Or you need to make Conditional Access free for all 365 accounts so we can deploy MFA the recommend way without paying extra for a basic feature that claims to eliminate 99% of security breaches.