๐ก๏ธ๐งโ๐ผโ๏ธ๐Group - Break the Glass solution
What this group is forโ
This is a dynamic security group created to contain your last-resort admin account.
The one you hope to never use โ but also hope actually works when you need it.
It's used in combination with:
If you're in this group:
โ
You are excluded from baseline CA policies
โ
You can sign in from one named location
โ You are completely blocked everywhere else
๐ Configuration Overviewโ
| Setting | Value |
|---|---|
| Group name | ๐ก๏ธ๐งโ๐ผโ๏ธ๐Group - Break the Glass solution |
| Group description | Emergency access account group. Dynamic. Strictly monitored. Restricted to a known named location only. |
| Group type | Security |
| Membership type | Dynamic |
| Dynamic rule | (user.userPrincipalName -contains "gordon.freeman") |
๐ Membership Governanceโ
This group is managed by rule, not by hand.
- Accounts must be provisioned with a predictable UPN
- Membership syncs automatically across tenants (via SuperVision)
- Every environment should track this group and validate it regularly
This isn't just another admin group. This one gets you in when nothing else works.
๐ง Final Noteโ
This group bypasses all protections โ intentionally.
But with that comes responsibility.
๐ธ๏ธ "With great exclusions come great consequences."
So:
- Monitor this group
- Document why it exists
- Donโt forget it exists
Because one day you might need it.
And if it doesn't work... well, let's not get terminated.