PA-03: Creating and Managing Break-Glass Accounts
Overview
This guide walks you through creating and properly configuring emergency access accounts (also known as "break-glass" accounts). These are highly privileged accounts designed to prevent tenant lockout during emergencies such as MFA service outages, Conditional Access misconfigurations, or when all other admin accounts are compromised.
Why This Matters: Without emergency access accounts, a misconfigured Conditional Access policy or MFA outage could lock all administrators out of the tenant. Recovery in this scenario requires a support case to Microsoft and can take days. Emergency access accounts provide a secure backdoor that bypasses these controls.
TrueConfig can do this for you. PA-03 is auto-remediable. From the control in TrueConfig you can use Fix Now to create cloud-only break-glass accounts with the Global Administrator role, automatically excluded from all Conditional Access policies. Use that one-click path if you want the accounts provisioned quickly, or follow the manual steps below if you prefer to create and store the credentials by hand. Either way, complete the credential-storage, monitoring, and testing steps in this guide, because those cannot be automated.
Prerequisites
| Requirement | Details |
|---|---|
| Role Required | Global Administrator |
| License Required | None (emergency accounts should not be licensed) |
| Access | Microsoft Entra admin center |
| Security | Secure location for credential storage (physical safe, secret management system) |
Time Estimate
45-60 minutes for initial setup of two emergency access accounts
- Account creation and configuration: 20 minutes
- Conditional Access exclusions: 15 minutes
- Documentation and secure storage: 15 minutes
- Verification testing: 10 minutes
Planning Considerations
Before creating emergency access accounts, decide on:
| Decision | Recommendation |
|---|---|
| Number of accounts | Minimum 2 (one primary, one backup) |
| Naming convention | Clearly identifiable but not obvious (e.g., not "admin@..." or "breakglass@...") |
| Password length | Minimum 16 characters, recommend 24+ |
| MFA method | At least one account should use FIDO2 key, one can use phone |
| Storage location | Physical safe in separate locations, or approved secret management |
| Access process | Documented procedure requiring multiple people |
Step-by-Step Instructions
Step 1: Create the First Emergency Access Account
- Navigate to entra.microsoft.com
- Go to Identity > Users > All users
- Click + New user > Create new user
- Configure the account:
| Field | Recommended Value |
|---|---|
| User principal name | emergency.access.1@yourdomain.onmicrosoft.com (use your .onmicrosoft.com domain) |
| Display name | Emergency Access Account 1 |
| Auto-generate password | No - create a strong password |
| Password | 24+ character random password (document securely) |
| Account enabled | Yes |
Critical: Use your .onmicrosoft.com domain, NOT a federated domain. This ensures the account works even if federation services fail.
- Click Next: Properties
- Leave all properties empty (no department, job title, etc.)
- Click Next: Assignments
- Skip group assignments for now
- Click Review + create > Create
Step 2: Assign Global Administrator Role
- Go to Identity > Roles & administrators > Roles
- Click Global Administrator
- Click + Add assignments
- Click Select member(s)
- Search for
Emergency Access Account 1 - Select the account and click Select
- Click Next
- Under Assignment type, select Active (permanent)
- Under Permanently assigned, select Yes
- Enter Justification:
Emergency access account - permanent assignment required - Click Assign
Step 3: Configure MFA for Emergency Account
Option A: FIDO2 Security Key (Recommended for at least one account)
- Sign in as the emergency access account in a private browser
- Go to mysignins.microsoft.com > Security info
- Click + Add sign-in method
- Select Security key
- Follow the prompts to register a FIDO2 key
- Store the security key in a secure location (physical safe)
Option B: Phone-based MFA (For backup account)
- Sign in as the emergency access account
- Go to mysignins.microsoft.com > Security info
- Click + Add sign-in method
- Select Phone
- Enter a dedicated phone number (not a personal mobile)
- Verify the phone number
- Document the phone location securely
Important: At least one emergency account should NOT use phone-based MFA, as phone services could be compromised or unavailable.
Step 4: Create the Second Emergency Access Account
Repeat Steps 1-3 with:
- User principal name:
emergency.access.2@yourdomain.onmicrosoft.com - Display name:
Emergency Access Account 2 - Different password
- Different MFA method (if first uses FIDO2, second can use phone)
Step 5: Exclude from Conditional Access Policies
This is the most critical step. Emergency accounts must be excluded from ALL Conditional Access policies.
-
Go to Protection > Conditional Access > Policies
-
For EACH policy:
a. Click the policy name b. Under Users > Exclude c. Check Users and groups d. Click Select excluded users and groups e. Search for and select both emergency access accounts f. Click Select g. Click Save
Create a dedicated exclusion group (recommended):
- Go to Identity > Groups > All groups
- Click + New group
- Configure:
- Group type: Security
- Group name:
Conditional Access - Emergency Access Exclusions - Group description:
Emergency access accounts excluded from all CA policies - DO NOT MODIFY - Membership type: Assigned
- Add both emergency access accounts as members
- Click Create
Now use this group in CA policy exclusions instead of individual accounts.
Step 6: Disable Security Defaults (If Enabled)
Emergency accounts may be blocked by Security Defaults. If using Conditional Access:
- Go to Identity > Overview > Properties
- Click Manage security defaults
- Verify Security Defaults is Disabled (it should be if you have CA policies)
If Security Defaults is enabled and you need it, note that emergency accounts will still require MFA through Security Defaults - ensure they have MFA configured.
Step 7: Configure Sign-In Monitoring
Set up alerts for emergency account usage:
- Go to Identity > Monitoring & health > Diagnostic settings
- Click + Add diagnostic setting
- Configure:
- Name:
Emergency Account Sign-In Alerts - Logs: Check SignInLogs and AuditLogs
- Destination: Select Log Analytics workspace or other destination
- Name:
- Click Save
Create an alert rule:
- Go to Azure Portal > Monitor > Alerts
- Click + Create > Alert rule
- Select your Log Analytics workspace as the scope
- Under Condition, create a custom log search:
SigninLogs
| where UserPrincipalName startswith "emergency.access"
| project TimeGenerated, UserPrincipalName, ResultType, IPAddress, Location
- Configure to alert whenever results > 0
- Set up email notifications to security team
- Click Create alert rule
Step 8: Document and Secure Credentials
Create a credential document:
EMERGENCY ACCESS ACCOUNT CREDENTIALS
=====================================
CLASSIFICATION: HIGHLY CONFIDENTIAL
Last Updated: [Date]
Next Review: [Date + 6 months]
ACCOUNT 1
---------
Username: emergency.access.1@yourdomain.onmicrosoft.com
Password: [Stored separately - see safe location A]
MFA Method: FIDO2 Security Key (Serial: XXXXX)
Key Location: [Physical location, e.g., "IT Director's office safe"]
ACCOUNT 2
---------
Username: emergency.access.2@yourdomain.onmicrosoft.com
Password: [Stored separately - see safe location B]
MFA Method: Dedicated phone at [location]
Phone Number: +1-XXX-XXX-XXXX
ACCESS PROCEDURE
----------------
1. Requires authorization from [CIO/CISO/IT Director]
2. Access must be logged in incident management system
3. Credentials retrieved by [designated personnel]
4. All usage must be documented and reported
STORAGE LOCATIONS
-----------------
Credential Set A: [Building/Room/Safe details]
Credential Set B: [Different building/location]
Best Practices for Credential Storage:
- Split credentials across multiple physical locations
- Require two people to retrieve full credentials
- Store in fireproof/waterproof safes
- Consider sealed envelopes with tamper-evident features
- Maintain access log for the safe
Step 9: Test the Emergency Accounts
Critical: Test accounts regularly to ensure they work.
- Open a private/incognito browser window
- Go to portal.azure.com
- Sign in with emergency access account 1
- Complete MFA challenge
- Verify you can access admin functions
- Sign out immediately
- Repeat for emergency access account 2
Document the test:
- Date tested
- Tested by
- Result (success/failure)
- Any issues encountered
Verification Checklist
- Two emergency access accounts created
- Both accounts use
.onmicrosoft.comdomain (cloud-only) - Both accounts have Global Administrator role assigned permanently
- At least one account uses FIDO2 security key for MFA
- Both accounts excluded from ALL Conditional Access policies
- Sign-in monitoring and alerting configured
- Credentials documented and stored securely in multiple locations
- Access procedure documented and approved
- Both accounts tested successfully
- Regular testing schedule established (recommend monthly)
- Credential rotation schedule established (recommend annually)
Ongoing Maintenance
| Task | Frequency | Owner |
|---|---|---|
| Test emergency account sign-in | Monthly | IT Security |
| Review sign-in logs for usage | Weekly | IT Security |
| Verify CA policy exclusions still in place | Quarterly | IT Security |
| Rotate passwords | Annually | IT Security |
| Review and update documentation | Semi-annually | IT Security |
| Test alert notifications | Quarterly | IT Security |
Troubleshooting
"Emergency account is blocked by Conditional Access"
- Sign in with a different Global Admin account
- Go to Protection > Conditional Access > Policies
- Check each policy's exclusions
- Verify the emergency account or exclusion group is listed
- Check for newly created policies that may not have exclusions
"I forgot the password to the emergency account"
- Sign in with another Global Admin account
- Go to Identity > Users > find the emergency account
- Click Reset password
- Generate a new password
- Update secure storage with new password
- Test the new password
"The FIDO2 key isn't working"
- Try a different USB port
- Ensure the browser supports WebAuthn (Edge, Chrome, Firefox)
- If key is damaged, sign in with the other emergency account
- Go to the affected account's Security info and add a new key
- Securely destroy the old key
"I can't find the emergency account phone"
- Sign in with the other emergency account
- Go to Users > find the affected account > Authentication methods
- Remove the old phone method
- Add a new phone method with a new dedicated number
- Update documentation
"Someone used the emergency account without authorization"
- Immediately check sign-in logs for the account
- Review what actions were taken during the session
- Reset the account password immediately
- Rotate the FIDO2 key if applicable
- Document the incident
- Review access controls for credential storage
Cost Considerations
| Component | Cost Impact |
|---|---|
| Account creation | Free |
| FIDO2 Security Keys | $25-50 per key (recommend 2-4 keys) |
| Dedicated phone | ~$10-20/month for basic service |
| Licensing | Emergency accounts should NOT have licenses assigned (no email, no M365 apps needed) |
| Log Analytics | Minimal cost for sign-in log storage (~$0.10-0.30/month) |
Total Estimated Cost: $50-150 initial hardware + ~$10-30/month ongoing
Related Controls
- PA-01: Limit Global Administrators to 2-4 - Emergency accounts count toward, and help maintain, the 2-4 permanent Global Admin minimum
- PA-05: Require Phishing-Resistant MFA for Admins - FIDO2 keys for emergency accounts
- PA-06: Require FIDO2 Security Keys for Administrators - Key provisioning for emergency accounts