How to Fix: Configure Emergency Access Accounts
Step-by-step guide to implement configure emergency access accounts in your Microsoft 365 environment.
5-10 minutes
Estimated Time
4
Steps
critical
Severity
Recommended Secure
Baseline Level
Why This Matters
Emergency access accounts prevent permanent lockout if MFA systems fail, Conditional Access is misconfigured, or a federation service goes down. Microsoft recommends 2 accounts with FIDO2 keys stored securely offline.
Prerequisites
- 1Global Administrator or appropriate admin role in Microsoft Entra ID
- 2Access to Microsoft Entra admin center (entra.microsoft.com)
- 3Privileged Role Administrator role
Expected Configuration
- At least 2 break-glass accounts exist
- Accounts are excluded from all Conditional Access policies
- Accounts are enabled and accessible
Remediation Steps
Review Current State
Assess your current privileged access configuration in Entra ID.
- •Navigate to Microsoft Entra admin center
- •Go to Identity > Roles and administrators
- •Review current role assignments
Plan Changes
Determine what changes need to be made to meet the expected configuration.
- •Identify users with excessive privileges
- •Document required role assignments
- •Plan implementation timeline
Implement Configuration
Apply the necessary changes to your Entra ID environment.
- •Configure PIM if applicable
- •Update role assignments
- •Set appropriate access reviews
Verify and Test
Confirm the changes are working as expected.
- •Run a TrueConfig scan to verify compliance
- •Test user access with affected accounts
- •Document the changes made
Auto-Remediation Available
TrueConfig can automatically fix this control for you. Enable auto-remediation to have this configuration applied and maintained automatically.
Learn about auto-remediationRelated Resources
Automate Your Security Configuration
TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.
Start Free Trial