36 Split-custody break-glass
Splits the 20 Break-glass admin + offline backup codes credential between two people: one holds the password, the other holds the security keys or backup codes. Neither can sign in alone, so a single coerced, compromised or malicious custodian cannot use the tenant's most powerful account. It is a two-person rule on the recovery path, done manually.
Documentation: Security best practices for administrator accounts ↗
Caveats
This is a process control — it is carried out offline, so there is no Admin Console walkthrough to show.
Ongoing maintenance
- requires a human Annually: repeat the reassembly drill and rotate the secret after use.
How to verify
Run the reassembly drill: both custodians produce their halves and the credential works end to end. A split secret that has never been recombined is not known to exist.
v0.0.3Prevent policy #32 · #13, #3 ↗