Entra ID Break-Glass Accounts: How to Create and Protect Emergency Access Accounts for Tenant Lockout Recovery

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The irony of Conditional Access security is that a well-enforced policy can lock out all administrators if it is misconfigured. A policy that requires compliant device + MFA for all users including admins, applied without exclusions before testing, can leave an organization with no way to access Entra ID admin tools until the policy times out or expires. Break-glass accounts are the recovery mechanism for this scenario. They are not a shortcut or a convenience -- they are an emergency tool with specific security requirements that must be met before they are needed.
Create Two Cloud-Only Break-Glass Accounts
Break-glass accounts must be cloud-only (not synced from on-premises AD). If Entra Connect is down or the on-premises AD is compromised, cloud-only accounts are still accessible. Create them in the Entra admin center: Users > New User > select 'Create user' (not 'Invite user'). Use a naming convention that identifies them clearly: breakglass1@yourtenant.onmicrosoft.com. Important: use the onmicrosoft.com domain, not a custom domain -- if custom domain DNS configuration breaks, onmicrosoft.com accounts are still accessible. Do not assign any licenses (break-glass accounts should not be mailboxes or have any service access other than Entra ID admin). Assign the Global Administrator role permanently (not via PIM -- break-glass accounts must be usable when PIM infrastructure itself is the problem). Create two accounts, not one: if one account's credentials are lost, stolen, or corrupted, the second provides a recovery path.
Configure Credentials: FIDO2 Key or Long Password
Break-glass account credentials have two options: Option 1 (preferred for modern tenants): register a FIDO2 security key (YubiKey or similar) as the only authentication method for the break-glass account. The security key serves as both the password and the MFA factor -- authentication is phishing-resistant and requires physical possession of the key. Store the key in a physical safe or vault. Option 2 (for environments without FIDO2 infrastructure): generate a password of at least 64 characters using a cryptographically secure random string generator. Do not store the password in any password manager, Active Directory, or any system connected to the network. Print the password or write it on paper and store in a physical safe with access logging. Two copies in two different physical locations is recommended. For either option: the credential must be accessible without network access to the main corporate environment (the scenario for break-glass is that normal access methods are unavailable), must be tested annually to verify it works, and must be controlled with the same physical access protocols as physical server keys.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Exclude Break-Glass Accounts from All Conditional Access Policies
Break-glass accounts must be excluded from all Conditional Access policies, particularly: MFA requirement policies, compliant device requirement policies, legacy authentication block policies, sign-in risk policies, and location-based restriction policies. In each Conditional Access policy, under Assignments > Users > Exclude: add both break-glass accounts explicitly (not via group -- group membership can be modified, accounts should be directly excluded). Create a dedicated Conditional Access Named Location for the break-glass account exclusions if you want to add IP restriction (though in a lockout scenario the IP may be unpredictable -- a location restriction on break-glass accounts can itself cause a lockout, so this is optional). Maintain a documented list of all Conditional Access policies and confirm each one has the break-glass exclusions. After any Conditional Access policy change, verify the break-glass accounts are still excluded.
Alert on Any Sign-In from Break-Glass Accounts
Break-glass account usage should be a P1 security incident -- any sign-in means either a genuine emergency (expected and controlled) or a breach (unexpected and critical). Set up an alert in Microsoft Sentinel: SigninLogs | where UserPrincipalName in ('breakglass1@yourtenant.onmicrosoft.com', 'breakglass2@yourtenant.onmicrosoft.com') | project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType. Alert immediately when this query returns any row. In Defender XDR: create a custom detection rule using Advanced Hunting with the same query. The alert should go to the security team and the CISO via email, SMS, or pager -- channels that do not depend on Microsoft 365 connectivity in case the alert fires during a tenant availability issue. Test the alert annually as part of the break-glass account test procedure.
Annual Testing and Maintenance
Break-glass accounts that have never been tested may not work when needed. Annual test procedure: schedule a low-risk test window. Retrieve the break-glass credentials from physical storage. Sign in to the Entra admin center using the break-glass account. Verify Global Administrator access is active (attempt to create a test user and delete it). Verify no Conditional Access policy is blocking the sign-in. Verify the sign-in alert fires and is received by the security team. Document the test, its outcome, and return the credentials to storage. If the test fails: investigate immediately. Common failure modes: the account's password or FIDO2 key registration expired (some organizations set password expiration on all accounts -- ensure break-glass accounts are excluded from password expiration policies), the break-glass account was accidentally included in a Conditional Access policy that blocks it, or the physical storage location of the credential has changed without updating the procedure documentation. Rotate break-glass account credentials annually after each test.
The bottom line
Break-glass accounts are cheap insurance against the most paralyzing Entra ID failure scenario: a Global Administrator lockout. Create two cloud-only accounts, store credentials in physical security (safe or vault), exclude them from every Conditional Access policy, alert on any sign-in, and test annually. The accounts should be unusable under normal operations -- their only purpose is disaster recovery. The 2 hours it takes to set them up correctly is worth it the first time you need them.
Frequently asked questions
What is the difference between a break-glass account and a regular Global Admin account?
A regular Global Admin account is used for day-to-day administration (or via PIM elevation for specific tasks). It is subject to Conditional Access policies including MFA, device compliance, and sign-in risk. A break-glass account bypasses all Conditional Access policies, has permanent Global Admin role (no PIM), uses credentials stored offline and never connected to the corporate network, and should never be used for routine administration. If you find yourself considering using a break-glass account for non-emergency tasks, that is a sign the administrative access model needs improvement.
How many Global Admin accounts should a tenant have?
Microsoft recommends 2 to 4 Global Administrator accounts: 2 break-glass accounts (cloud-only, offline credentials, excluded from Conditional Access), and 1 to 2 operational Global Admin accounts used via PIM for actual administrative tasks. More than 4 to 5 Global Admins is considered excessive -- each additional Global Admin account is a potential path to full tenant compromise. Use more granular admin roles (Exchange Administrator, User Administrator, etc.) for day-to-day tasks rather than granting Global Admin broadly.
What if our break-glass account gets compromised?
A compromised break-glass account is a P1 security incident because the attacker has permanent, unconditional Global Administrator access to your Entra ID tenant -- they can read all user data, add new Global Admins, configure federation for credential harvesting, and disable all security controls. Immediately: sign in with the second break-glass account and revoke all sessions for the first. Reset the compromised account's credentials or disable the account. Investigate how the compromise occurred (physical breach of the credential storage? network compromise of a system where the password was momentarily used?). Review all Entra ID audit logs for actions taken using the compromised account. Notify your incident response team.
Should break-glass accounts be excluded from Entra ID Identity Protection risk policies?
Yes. Identity Protection sign-in risk and user risk policies can block high-risk sign-ins, including those from unusual locations or with leaked credentials. If your break-glass account credentials appear in a breach database (which they might if they were ever stored digitally), Identity Protection might block a sign-in attempt during a lockout scenario -- precisely when you need it. Exclude break-glass accounts from all Identity Protection policies explicitly. Monitor the break-glass accounts in Identity Protection separately: any risk flag on a break-glass account should trigger an immediate credential rotation.
How should break-glass account credentials be stored securely?
Store break-glass credentials in a physical, offline location: a sealed envelope in a locked safe or bank safety deposit box, with access requiring two-person integrity (two people must be present to open). Do not store break-glass passwords in a password manager connected to the corporate network or Entra ID -- if the environment is locked out, that password manager may also be inaccessible. Print the credentials or write them legibly on tamper-evident paper; replace the physical record every time the password is rotated. Document the physical location in your incident response runbook but not the actual credentials. The test for correct storage: if every admin in the organization has their credentials revoked simultaneously, can someone still physically access the break-glass credentials without any corporate system access?
How do I test break-glass accounts without triggering security alerts or causing disruption?
Testing break-glass accounts is required quarterly by most frameworks (NIST SP 800-53 IR-3, CIS Control 17). The test must confirm: the account still exists and is enabled, the password works, the account has Global Administrator access, and MFA (if configured) can be completed with the stored credential. Before testing, notify your SOC or security monitoring team with the exact test window and the UPN of the break-glass account to suppress the inevitable high-severity alert. Use a dedicated test scenario: sign in to the Entra portal (not Microsoft 365 apps) using the break-glass account, verify you can access Entra ID roles and show Global Administrator membership, then sign out immediately. Do not use break-glass accounts for any actual administrative tasks during testing. After sign-out, confirm the sign-in event appears in Entra ID sign-in logs with the expected IP address and timestamp -- this also verifies your monitoring alert is functioning. Rotate the password after every test, update the physical storage record, and document the test date and tester in your incident response runbook.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
