PA-03CriticalRecommended Secure

Configure Emergency Access Accounts

Privileged Access control for Microsoft 365 and Entra ID

Why This Control Matters

Emergency access accounts prevent permanent lockout if MFA systems fail, Conditional Access is misconfigured, or a federation service goes down. Microsoft recommends 2 accounts with FIDO2 keys stored securely offline.

Expected State

When this control is compliant, your tenant should meet these criteria:

1At least 2 break-glass accounts exist
2Accounts are excluded from all Conditional Access policies
3Accounts are enabled and accessible

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Available

Creates cloud-only break-glass accounts with Global Admin role, excluded from CA policies

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.