I know it’s been a little quiet on new blog articles the last few months, but that’s due to other community topics I’m working on. One of my new projects is the Azure Ask my Anything Live format that I will be hosting with my team at Azure Bonn Live on YouTube and Linkedin. I’m excited to announce that we’re kicking off this year with an Azure AMA on Azure Virtual Desktop Best Practices, and we have the pleasure of welcoming Marcel Meurer and Patrick Koehler to this session. Marcel and Patrick are two Azure MVPs and do a lot of work in the AVD community. Marcel is known as the brains behind the WVDAdmin and Project Hydra products, which are services to automate all things Azure Virtual Desktop. Patrick has also been active in the AVD community for many years with great sessions and insights about AVD and is the organizer of AVD TechFest together with Simon Binder.
Azure AMA – Azure Virtual Desktop Best Practices will take place live on Youtube on February 14, 2022. You can register for this event via our Azure Bonn page. Please note that this is a live AMA session and we would love for you to join us live and bring your questions to the session. If you don’t have time this time, please use our Microsoft forms to submit your questions before the session starts. The session will be held in German, but you can also ask your questions in English.
Over the past few months, I have conducted many customer workshops, designed and implemented Landing Zones, and migrated or placed VMs into Azure. One of the most common customer questions has been about best practices for Azure VMs to maximize performance and efficiency, minimize costs, increase security, and reduce management overhead. This article is based on my real-world experience and recommendations based on several Azure projects.
I´ve updated the article because the actual sign-in query only logs all login attempts of the break glass account (successfully, unsuccessfully, etc.) . I added the different IDs so that you can setup the alert mail based on a indivudal filter. Thank you goes out to Eric Soldierer for this note. I also updated some changed services that had left their preview status.
In the past I do a lot of Azure Governance workshop and one interesting topic is how to handle the Break Glass Account. Before we going deeper, first we take a look was is the Break Glass Account. For each Administrator role in Azure or Office365 is it best practice to use MFA to secure the account and get a better security for the Tenant. To realize this, normally we use Conditional Access and create a rule, that every Admin require MFA for login. But what can we do, when:
the MFA service is down
we create a Conditinal Access that with a wrong rule set and lost sign-in access
we do not regulary update our control list and the admin account goes lost
For this cases we need a Break glass account, an additional account with a high security password, to enter the Tenant in an emergeny case. For this account, there are some recommendations:
only use a generic account
create a complex password with more than 16 characters
for compliance reason divide the password into two parts
save each part in a different location
create a security group that contains the break glass accounts
create two break glass accounts with no standard username like breakglass@ or emergency
use the Tenant name for the account
do not use a custom domain name
in futher it will be possible to use FIDO2 security key for break glass (right now is in preview and not recommended for such critical scenario)
Now we can discuss in some ways a security gap – a service account with Global admin rights that do not require MFA for login. Now you see, why it is so important to monitor this accounts and get notified when they will be used for login.