Break-Glass Account Successful Sign In

Detects when someone has used a Break-Glass account to successfully log in. Identity Intelligence automatically identifies these accounts based on common emergency account naming patterns, but additional accounts should be manually added to the "Include" list via the check settings to ensure all critical Break-Glass accounts are properly monitored.

Most identity providers (IdP) advise creating Break-Glass accounts to prevent accidental lock outs from the organization's IdP. However, it is for this reason that Break-Glass accounts also pose significant risk to an organization, as they must have elevated privileges (admins) and may not always be protected with MFA. It is critical to monitor the usage of these types of accounts to verify that they are only being utilized for testing purposes or during an emergency.

Recommended Actions

Verify if the sign-in activity for the failing Break-Glass account(s) was for a legitimate reason. If the account was compromised or suspected to be, change the password for this account and ensure that MFA or SSPR are not linked to any individual user's device or personal details.

Organizations are highly recommended to routinely audit the security configuration of these emergency accounts, as well as the users who have access to the account's log-in credentials. To increase the security of Break-Glass accounts, consider enabling MFA on the account if possible, or regularly rotate the account password/key so that users who have left your organization to not maintain access to this account.

Be sure to enable a notification target on this check to receive alerts when a successful sign-in occurs or log into Identity Intelligence on a weekly basis to review the results.

Compatibility

Microsoft Entra ID, Okta, Duo, Google Workspace, Salesforce