Expert Answer

What is a break-glass account in Microsoft 365?

Quick Answer

A break-glass (or emergency access) account is a highly privileged account used only during emergencies when normal admin accounts are unavailable. It should be excluded from Conditional Access and use a long, complex password stored securely offline.

Detailed Explanation

A break-glass account (also called emergency access account) is a special Global Admin account designed for use only when all other administrative access fails. Microsoft recommends maintaining two break-glass accounts per tenant.

  • *Purpose:
  • Restore access when regular admin accounts are locked out
  • Bypass MFA failures or Conditional Access misconfigurations
  • Recover from catastrophic authentication provider failures
  • Access tenant during widespread identity system outages

Configuration requirements: 1. Cloud-only accounts - No federation or on-premises sync 2. Permanent Global Admin - Not using PIM time-limited activation 3. Excluded from all Conditional Access policies 4. No MFA or hardware-based MFA with keys stored separately 5. Long, complex passwords (at least 32 characters) generated randomly 6. Passwords stored offline in secure physical locations (not password managers)

  • *Best practices:
  • Create 2 break-glass accounts for redundancy
  • Use names that don't identify them as emergency accounts
  • Monitor sign-ins and alert on any use
  • Test accounts quarterly to verify they work
  • Document the access procedure and train appropriate staff

TrueConfig control PA-05 helps you configure and monitor break-glass accounts properly.

Related TrueConfig Controls

PA-05Require Phishing-Resistant MFA for Admins
PA-01Limit Global Administrators to 2-4
CA-01Require MFA via Conditional Access Policy

Want to check your Microsoft 365 configuration?

TrueConfig scans your tenant and provides specific recommendations based on your current configuration.