Break Glass Account
Emergency access accounts that bypass normal security controls to prevent lockout during system failures or misconfigurations.
What is Break Glass Account?
Break glass accounts (also called emergency access accounts) provide a safety net when normal authentication mechanisms fail—MFA outage, Conditional Access misconfiguration, or federation service failure. These accounts are excluded from CA policies and use long, complex passwords with FIDO2 keys stored securely offline. Their use should be extremely rare and heavily monitored.
In Microsoft 365
Microsoft recommends at least 2 cloud-only break glass accounts with Global Administrator role. They should be excluded from all Conditional Access policies, have no MFA (or FIDO2 only), and trigger alerts on any sign-in activity. Credentials should be stored in a safe accessible to multiple authorized personnel.
Examples
- 1Cloud-only account with 64-character random password
- 2Account excluded from all CA policies
- 3FIDO2 keys stored in fire safe
Related TrueConfig Controls
These controls help implement and verify break glass account in your Microsoft 365 environment.