Plan and implement emergency access (breakglass) accounts
Implementation Effort: Medium – Requires creating cloud-only accounts, securing credentials with dual-control procedures, configuring Conditional Access exclusions, and establishing monitoring and testing routines across IT and security teams.
User Impact: Low – Emergency access accounts are used exclusively by authorized administrators during outage or lockout scenarios; end users are not involved or affected.
Overview
Emergency access accounts, commonly referred to as breakglass accounts, are cloud-only accounts permanently assigned the Global Administrator role in Microsoft Entra ID. These accounts are not tied to any individual and are reserved exclusively for scenarios where normal administrative access paths fail. Examples include federation outages, multifactor authentication service disruptions, Conditional Access policy lockouts, and PIM misconfiguration that prevents role activation. Without functioning emergency access accounts, an organization can lose all administrative control over its tenant, requiring Microsoft support escalation and extended downtime to regain access.
This task is foundational to privileged access management. Organizations that deploy Conditional Access policies and Privileged Identity Management without first establishing emergency access accounts create a single point of failure. If a CA policy is misconfigured broadly or PIM approval chains break, there is no recovery path. Microsoft recommends creating at least two emergency access accounts with strong, randomly generated passwords stored in separate secure physical locations accessible only through multi-person authorization. At least one account should be excluded from all Conditional Access policies and MFA requirements to guarantee access during authentication service disruptions. The second account can optionally use a FIDO2 security key stored in a secure location for credential diversity.
Emergency access accounts must be continuously monitored. Any sign-in, password change, or role modification on these accounts should trigger high-priority alerts in Azure Monitor or Microsoft Sentinel. Organizations should establish a post-mortem process to review every emergency account usage and validate it was authorized. Quarterly testing of account access is critical to confirm functionality, and credentials should be rotated every 90 days or immediately after personnel changes. Failing to test and monitor these accounts means an organization may discover during an actual crisis that the credentials are expired, the accounts are disabled, or alerting is not working.
This activity directly supports the Zero Trust principle of Assume breach by ensuring that administrative recovery mechanisms exist when primary identity infrastructure is compromised or unavailable. It also supports Verify explicitly because every use of an emergency access account should be detected, logged, and investigated, creating an auditable trail that validates whether the usage was legitimate.
Reference
- Manage emergency access accounts in Microsoft Entra ID
- Securing privileged access for hybrid and cloud deployments in Microsoft Entra ID
- Security operations for privileged accounts in Microsoft Entra ID
- Microsoft Entra ID Governance operations reference — Privileged account management
- Microsoft cloud security benchmark — PA-5: Set up emergency access