PA-03: Creating and Managing Break-Glass Accounts

Overview

This guide walks you through creating and properly configuring emergency access accounts (also known as "break-glass" accounts). These are highly privileged accounts designed to prevent tenant lockout during emergencies such as MFA service outages, Conditional Access misconfigurations, or when all other admin accounts are compromised.

Why This Matters: Without emergency access accounts, a misconfigured Conditional Access policy or MFA outage could lock all administrators out of the tenant. Recovery in this scenario requires a support case to Microsoft and can take days. Emergency access accounts provide a secure backdoor that bypasses these controls.

TrueConfig can do this for you. PA-03 is auto-remediable. From the control in TrueConfig you can use Fix Now to create cloud-only break-glass accounts with the Global Administrator role, automatically excluded from all Conditional Access policies. Use that one-click path if you want the accounts provisioned quickly, or follow the manual steps below if you prefer to create and store the credentials by hand. Either way, complete the credential-storage, monitoring, and testing steps in this guide, because those cannot be automated.

Prerequisites

RequirementDetails
Role RequiredGlobal Administrator
License RequiredNone (emergency accounts should not be licensed)
AccessMicrosoft Entra admin center
SecuritySecure location for credential storage (physical safe, secret management system)

Time Estimate

45-60 minutes for initial setup of two emergency access accounts

  • Account creation and configuration: 20 minutes
  • Conditional Access exclusions: 15 minutes
  • Documentation and secure storage: 15 minutes
  • Verification testing: 10 minutes

Planning Considerations

Before creating emergency access accounts, decide on:

DecisionRecommendation
Number of accountsMinimum 2 (one primary, one backup)
Naming conventionClearly identifiable but not obvious (e.g., not "admin@..." or "breakglass@...")
Password lengthMinimum 16 characters, recommend 24+
MFA methodAt least one account should use FIDO2 key, one can use phone
Storage locationPhysical safe in separate locations, or approved secret management
Access processDocumented procedure requiring multiple people

Step-by-Step Instructions

Step 1: Create the First Emergency Access Account

  1. Navigate to entra.microsoft.com
  2. Go to Identity > Users > All users
  3. Click + New user > Create new user
  4. Configure the account:
FieldRecommended Value
User principal nameemergency.access.1@yourdomain.onmicrosoft.com (use your .onmicrosoft.com domain)
Display nameEmergency Access Account 1
Auto-generate passwordNo - create a strong password
Password24+ character random password (document securely)
Account enabledYes

Critical: Use your .onmicrosoft.com domain, NOT a federated domain. This ensures the account works even if federation services fail.

  1. Click Next: Properties
  2. Leave all properties empty (no department, job title, etc.)
  3. Click Next: Assignments
  4. Skip group assignments for now
  5. Click Review + create > Create

Step 2: Assign Global Administrator Role

  1. Go to Identity > Roles & administrators > Roles
  2. Click Global Administrator
  3. Click + Add assignments
  4. Click Select member(s)
  5. Search for Emergency Access Account 1
  6. Select the account and click Select
  7. Click Next
  8. Under Assignment type, select Active (permanent)
  9. Under Permanently assigned, select Yes
  10. Enter Justification: Emergency access account - permanent assignment required
  11. Click Assign

Step 3: Configure MFA for Emergency Account

Option A: FIDO2 Security Key (Recommended for at least one account)

  1. Sign in as the emergency access account in a private browser
  2. Go to mysignins.microsoft.com > Security info
  3. Click + Add sign-in method
  4. Select Security key
  5. Follow the prompts to register a FIDO2 key
  6. Store the security key in a secure location (physical safe)

Option B: Phone-based MFA (For backup account)

  1. Sign in as the emergency access account
  2. Go to mysignins.microsoft.com > Security info
  3. Click + Add sign-in method
  4. Select Phone
  5. Enter a dedicated phone number (not a personal mobile)
  6. Verify the phone number
  7. Document the phone location securely

Important: At least one emergency account should NOT use phone-based MFA, as phone services could be compromised or unavailable.

Step 4: Create the Second Emergency Access Account

Repeat Steps 1-3 with:

  • User principal name: emergency.access.2@yourdomain.onmicrosoft.com
  • Display name: Emergency Access Account 2
  • Different password
  • Different MFA method (if first uses FIDO2, second can use phone)

Step 5: Exclude from Conditional Access Policies

This is the most critical step. Emergency accounts must be excluded from ALL Conditional Access policies.

  1. Go to Protection > Conditional Access > Policies

  2. For EACH policy:

    a. Click the policy name b. Under Users > Exclude c. Check Users and groups d. Click Select excluded users and groups e. Search for and select both emergency access accounts f. Click Select g. Click Save

Create a dedicated exclusion group (recommended):

  1. Go to Identity > Groups > All groups
  2. Click + New group
  3. Configure:
    • Group type: Security
    • Group name: Conditional Access - Emergency Access Exclusions
    • Group description: Emergency access accounts excluded from all CA policies - DO NOT MODIFY
    • Membership type: Assigned
  4. Add both emergency access accounts as members
  5. Click Create

Now use this group in CA policy exclusions instead of individual accounts.

Step 6: Disable Security Defaults (If Enabled)

Emergency accounts may be blocked by Security Defaults. If using Conditional Access:

  1. Go to Identity > Overview > Properties
  2. Click Manage security defaults
  3. Verify Security Defaults is Disabled (it should be if you have CA policies)

If Security Defaults is enabled and you need it, note that emergency accounts will still require MFA through Security Defaults - ensure they have MFA configured.

Step 7: Configure Sign-In Monitoring

Set up alerts for emergency account usage:

  1. Go to Identity > Monitoring & health > Diagnostic settings
  2. Click + Add diagnostic setting
  3. Configure:
    • Name: Emergency Account Sign-In Alerts
    • Logs: Check SignInLogs and AuditLogs
    • Destination: Select Log Analytics workspace or other destination
  4. Click Save

Create an alert rule:

  1. Go to Azure Portal > Monitor > Alerts
  2. Click + Create > Alert rule
  3. Select your Log Analytics workspace as the scope
  4. Under Condition, create a custom log search:
SigninLogs
| where UserPrincipalName startswith "emergency.access"
| project TimeGenerated, UserPrincipalName, ResultType, IPAddress, Location
  1. Configure to alert whenever results > 0
  2. Set up email notifications to security team
  3. Click Create alert rule

Step 8: Document and Secure Credentials

Create a credential document:

EMERGENCY ACCESS ACCOUNT CREDENTIALS
=====================================
CLASSIFICATION: HIGHLY CONFIDENTIAL
Last Updated: [Date]
Next Review: [Date + 6 months]

ACCOUNT 1
---------
Username: emergency.access.1@yourdomain.onmicrosoft.com
Password: [Stored separately - see safe location A]
MFA Method: FIDO2 Security Key (Serial: XXXXX)
Key Location: [Physical location, e.g., "IT Director's office safe"]

ACCOUNT 2
---------
Username: emergency.access.2@yourdomain.onmicrosoft.com
Password: [Stored separately - see safe location B]
MFA Method: Dedicated phone at [location]
Phone Number: +1-XXX-XXX-XXXX

ACCESS PROCEDURE
----------------
1. Requires authorization from [CIO/CISO/IT Director]
2. Access must be logged in incident management system
3. Credentials retrieved by [designated personnel]
4. All usage must be documented and reported

STORAGE LOCATIONS
-----------------
Credential Set A: [Building/Room/Safe details]
Credential Set B: [Different building/location]

Best Practices for Credential Storage:

  • Split credentials across multiple physical locations
  • Require two people to retrieve full credentials
  • Store in fireproof/waterproof safes
  • Consider sealed envelopes with tamper-evident features
  • Maintain access log for the safe

Step 9: Test the Emergency Accounts

Critical: Test accounts regularly to ensure they work.

  1. Open a private/incognito browser window
  2. Go to portal.azure.com
  3. Sign in with emergency access account 1
  4. Complete MFA challenge
  5. Verify you can access admin functions
  6. Sign out immediately
  7. Repeat for emergency access account 2

Document the test:

  • Date tested
  • Tested by
  • Result (success/failure)
  • Any issues encountered

Verification Checklist

  • Two emergency access accounts created
  • Both accounts use .onmicrosoft.com domain (cloud-only)
  • Both accounts have Global Administrator role assigned permanently
  • At least one account uses FIDO2 security key for MFA
  • Both accounts excluded from ALL Conditional Access policies
  • Sign-in monitoring and alerting configured
  • Credentials documented and stored securely in multiple locations
  • Access procedure documented and approved
  • Both accounts tested successfully
  • Regular testing schedule established (recommend monthly)
  • Credential rotation schedule established (recommend annually)

Ongoing Maintenance

TaskFrequencyOwner
Test emergency account sign-inMonthlyIT Security
Review sign-in logs for usageWeeklyIT Security
Verify CA policy exclusions still in placeQuarterlyIT Security
Rotate passwordsAnnuallyIT Security
Review and update documentationSemi-annuallyIT Security
Test alert notificationsQuarterlyIT Security

Troubleshooting

"Emergency account is blocked by Conditional Access"

  1. Sign in with a different Global Admin account
  2. Go to Protection > Conditional Access > Policies
  3. Check each policy's exclusions
  4. Verify the emergency account or exclusion group is listed
  5. Check for newly created policies that may not have exclusions

"I forgot the password to the emergency account"

  1. Sign in with another Global Admin account
  2. Go to Identity > Users > find the emergency account
  3. Click Reset password
  4. Generate a new password
  5. Update secure storage with new password
  6. Test the new password

"The FIDO2 key isn't working"

  1. Try a different USB port
  2. Ensure the browser supports WebAuthn (Edge, Chrome, Firefox)
  3. If key is damaged, sign in with the other emergency account
  4. Go to the affected account's Security info and add a new key
  5. Securely destroy the old key

"I can't find the emergency account phone"

  1. Sign in with the other emergency account
  2. Go to Users > find the affected account > Authentication methods
  3. Remove the old phone method
  4. Add a new phone method with a new dedicated number
  5. Update documentation

"Someone used the emergency account without authorization"

  1. Immediately check sign-in logs for the account
  2. Review what actions were taken during the session
  3. Reset the account password immediately
  4. Rotate the FIDO2 key if applicable
  5. Document the incident
  6. Review access controls for credential storage

Cost Considerations

ComponentCost Impact
Account creationFree
FIDO2 Security Keys$25-50 per key (recommend 2-4 keys)
Dedicated phone~$10-20/month for basic service
LicensingEmergency accounts should NOT have licenses assigned (no email, no M365 apps needed)
Log AnalyticsMinimal cost for sign-in log storage (~$0.10-0.30/month)

Total Estimated Cost: $50-150 initial hardware + ~$10-30/month ongoing

Related Controls

Additional Resources