What is a break-glass account in Microsoft 365?
Quick Answer
A break-glass (or emergency access) account is a highly privileged account used only during emergencies when normal admin accounts are unavailable. It should be excluded from Conditional Access and use a long, complex password stored securely offline.
Detailed Explanation
A break-glass account (also called emergency access account) is a special Global Admin account designed for use only when all other administrative access fails. Microsoft recommends maintaining two break-glass accounts per tenant.
- *Purpose:
- Restore access when regular admin accounts are locked out
- Bypass MFA failures or Conditional Access misconfigurations
- Recover from catastrophic authentication provider failures
- Access tenant during widespread identity system outages
Configuration requirements: 1. Cloud-only accounts - No federation or on-premises sync 2. Permanent Global Admin - Not using PIM time-limited activation 3. Excluded from all Conditional Access policies 4. No MFA or hardware-based MFA with keys stored separately 5. Long, complex passwords (at least 32 characters) generated randomly 6. Passwords stored offline in secure physical locations (not password managers)
- *Best practices:
- Create 2 break-glass accounts for redundancy
- Use names that don't identify them as emergency accounts
- Monitor sign-ins and alert on any use
- Test accounts quarterly to verify they work
- Document the access procedure and train appropriate staff
TrueConfig control PA-05 helps you configure and monitor break-glass accounts properly.
Related TrueConfig Controls
Want to check your Microsoft 365 configuration?
TrueConfig scans your tenant and provides specific recommendations based on your current configuration.