PA-03: Configure Emergency Access Accounts
Frequently asked questions about implementing and managing the PA-03 security control in Microsoft 365 and Entra ID.
QWhat is PA-03 (Configure Emergency Access Accounts)?▼
PA-03 is a security control that emergency access accounts prevent permanent lockout if mfa systems fail, conditional access is misconfigured, or a federation service goes down. microsoft recommends 2 accounts with fido2 keys stored securely offline. It requires that at least 2 break-glass accounts exist and accounts are excluded from all conditional access policies, accounts are enabled and accessible.
QWhy is Configure Emergency Access Accounts important for Microsoft 365 security?▼
Emergency access accounts prevent permanent lockout if MFA systems fail, Conditional Access is misconfigured, or a federation service goes down. Microsoft recommends 2 accounts with FIDO2 keys stored securely offline.
QHow do I implement PA-03 in my tenant?▼
TrueConfig provides one-click remediation for PA-03. Creates cloud-only break-glass accounts with Global Admin role, excluded from CA policies
QWhat license do I need for PA-03?▼
This control can be implemented with any Microsoft 365 subscription, including free Azure AD.
QWhich security baseline includes PA-03?▼
PA-03 is included in the TrueConfig Recommended Secure baseline (Level 1). This is the foundation level suitable for most organizations.
QWhy is PA-03 marked as critical severity?▼
PA-03 is rated critical because failure to implement this control significantly increases the risk of security incidents. Emergency access accounts prevent permanent lockout if MFA systems fail, Conditional Access is misconfigured, or a federation service goes down. Microsoft recommends 2 accounts with FIDO2 keys stored securely offline.
6
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial