With the introduction of Just In Time and Privileged Identity Management accounts, using a Global Administrator account to manage Azure/Entra is no longer recommended.
As per Microsoft's KB, it is advised to secure a Global Administrator account (or multiple) for Emergency Access use only.
To facilitate this, CyberQP is providing this KB Article to outline a method to ensure that the Emergency Access Account password remains unchanged by Quickpass.
- Azure/Entra Tenant for Customer
- Quickpass Subscription
- Quickpass Customer linked to Azure/Entra Tenant (https://support.getquickpass.com/hc/en-us/articles/360039678373-How-to-Connect-an-Azure-AD-Office-365-tenant-to-a-Quickpass-Customer)
- Microsoft Entra ID P1 license for each administrative unit administrator who is assigned directory roles over the scope of the administrative unit:
- Current Account able to set up Administrative Units in Azure/Entra
- Created Account(s) to use as Emergency Access Accounts
- Ensure that the accounts used for this purpose have ALL access to Azure/Entra required for full access (including subscription, Roles, etc.)
Log into the Management Portal
|Azure Portal||Entra Admin Center|
Click Microsoft Entra ID
|Expand the Identity -> Roles and Admins Section
Select Administrative Units
|Select Admin Units|
Enter a Name and Description that is Appropriate
Ensure that the "Restricted management administrative unit" Toggle is set to YES
On the Assign Roles screen you can leave the Defaults
Once you have confirmed everything is correct click Create
Denying access to the Emergency Access Accounts
With this configuration you are explicitly DENYING Quickpass from accessing the Emergency Access Accounts. Quickpass will NOT be able to rotate the passwords for these accounts, keeping with Microsoft's direction.
- Click on the newly created Administrative Unit
- Click Add Member at the top of the screen
- Search for any account(s) you wish to exclude from rotation by Quickpass.
- Put the check mark in the Box to add the account and then repeat until all accounts have been added.
- Once all accounts you want to exclude have been added, click Select
- The account(s) in the list will no longer be able to be managed by the Quickpass Enterprise App
- All accounts NOT in the list will still be able to be accessed by the Quickpass Enterprise App.
NOTE: Because the account(s) attributes that you have added to this Administrative Unit can still be READ by the Quickpass Enterprise app, they will still get imported if you have Automatic Import configured by Azure/Entra Role. We recommend turning OFF the Automatic rotation toggle for these accounts to avoid errors on each rotation cycle.
If someone were to attempt to change the password or rotate that account's password using Quickpass, the following error will be displayed.