Emergency Access Account Check [CHK-1135]
This check validates whether an Emergency Access Account, also known as an Emergency Admin, is configured and known within the Attic configuration.
Rationale
An Emergency Admin account is a vital security measure, recommended by Microsoft, to handle emergencies. It is an administrator account that is only used in emergencies and is protected by two-step verification via a physical means (FIDO2 security key such as Yubikeys) stored in a secure location. The use of the Emergency Admin account should be limited to the absolute minimum of emergencies and monitored to immediately detect unauthorized use.
Fix
An automated fix is available through Attic. This will configure an Emergency Admin account in the Microsoft tenant and immediately register it in Attic.
To fix it yourself:
- Navigate to Entra ID portal at https://entra.microsoft.com
- Go to Users > All users
- Click "New user" > "Create new user"
- Set username to "EmergencyAdmin@[yourdomain].onmicrosoft.com" (use cloud-only account)
- Set a strong password and note it securely
- Uncheck "Require this user to change their password when they first sign in"
- Click "Create"
- Click on the newly created user
- Go to "Assigned roles"
- Click "Add assignments"
- Select "Global Administrator"
- Click "Add"
- Inform Attic of the emergency admin account username via the configuration
Impact
The Emergency Admin account will be known to Attic and found in the Microsoft tenant. If the account has not yet been configured in Attic, it must be specified in the Attic configuration and/or passed on to Attic. If the Emergency Admin account configured in Attic has not been found in the Microsoft tenant, it is advised to check the Emergency Admin account and pass it on again.
More Information
For more information including examples of scenarios where an Emergency Admin Account is needed, visit Microsoft's Emergency Access Guide.