Office365/Azure admin accounts

[Ian Chisholm 5]

Sooo.

We are obviously doing MFA, and microsoft is (soon) forcing MFA on O365 and Azure admin accounts anyway, But is anyone out there looking at Disaster Recovery policies and processes for when MFA goes belly up?

How do you plan to access those accounts and potentially grant non MFA access to users in an emergency for business continuity? We are using Azure MFA, not Duo, etc.

Good enough to force non cellphone related MFA?

Take the day off when this happens, as it did in Nov, 2018?

 

[Kevin Beaumont 111]

For me it's basically the same as what do you do if Office365 goes offline again - you wait for MS to fix it sadly.

[Ian Chisholm 5]

I was SO hoping there would be something else!!!

Edited July 29, 2019 by Ian Chisholm

[Kevin Beaumont 111]

1 hour ago, Ian Chisholm said:

I was SO hoping there would be something else!!!

I guess you could have a break glass admin account outside of MFA policy - then use that to reconfigure things if things go wrong.  If you use Conditional Access I guess you could whitelist everything to bypass MFA then.

[Ian Chisholm 5]

Aye, that’s Microsoft best practice advice. And don’t mirror MFA methods in case, for example, mobile network is down.

theres a decent link (below) but the MFA requirement is still there.

link: https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access

So I’ll add “and keep your fingers crossed” to the policy document!