Description
- Type: CUSTOMER
- Severity: ERROR/NOTICE
- Protection from: HUMAN ERROR
- FIX Available: JA
This Customer Check is to validate an Emergency Admin exists and is known in Attic configuration.
Why this check?
It is highly recommended, not least by Microsoft itself, to have an Emergency Admin (or Break-Glass) account. An administrator account that is only used in emergencies, and for which two-step verification is arranged via a physical means (FIDO2 security key such as Yubikeys) that is stored in a secure location.
The use of the Emergency Admin account should be limited to the absolute minimum of emergencies. Therefore, it is wise to ensure that use of the account is monitored to immediately detect unauthorized use.
More information including examples of scenarios where an Emergency Admin Account is needed: https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
Which possible outcomes does this check have?
This check has three possible outcomes. In Attic this is expressed as follows:
- Okay: The Emergency Admin account is known to Attic and has been found in the Microsoft tenant
- Error: The Emergency Admin account has not yet been configured in Attic
- Notice: The Emergency Admin account configured in Attic has not been found in the Microsoft tenant
How should this be followed-up?
If the output is Error, the Emergency Admin account must still be specified in the Attic configuration and/or passed on to Attic.
Comments
0 comments
Please sign in to leave a comment.