Skip to main content

πŸš¦πŸ”΄πŸ‘¨β€πŸ’ΌCA - Block External login for BTG

What this policy is for​

This Conditional Access policy is built to block everything for Break-the-Glass (BTG) accounts β€” except from one safe place.

It’s not about convenience. It’s about control.
Even if credentials are compromised, they’re useless outside your trusted perimeter.

Used in combination with:

πŸ” Configuration Overview​

πŸ“Œ Purpose and Impact​

This policy creates a sealed environment:
Access is fully blocked unless the login originates from the exact named location.

It's the cleanest way to ensure:

  • BTG credentials are useless in the wrong place
  • No need to maintain exclusions in every new policy
  • SuperVision-based setups stay clean and repeatable

🧭 Governance & Security​

Break-the-Glass accounts should be rare, isolated, and restricted:

  • Only your lead security team should know of this account
  • Don’t store credentials in your regular password vault
  • Use a separate protected vault (with access audit logging)
  • Log and alert on any sign-in, successful or failed
  • Regularly validate the named location and account state

πŸ” β€œIf everyone knows where the key is hidden, it’s not a secure door.”

🧠 Final Note​

This isn’t just another policy β€” it’s your digital airlock.

Set it.
Test it.
Forget it… until the day you’ll be glad it’s there.

πŸ•΅οΈ β€œIf your BTG login works from Starbucks, it’s not a BTG account β€” it’s a liability.”