2
Minimum number of break-glass accounts Microsoft recommends per Entra ID tenant: two so one is always available if the other's credentials are compromised or unavailable
.onmicrosoft.com
Required domain suffix for break-glass accounts: using federated domains makes them unavailable when federation is the problem causing the lockout
0 MFA
Authentication factors registered for break-glass accounts: MFA requirements must not apply to these accounts since an MFA failure may be the reason they are needed
Alert immediately
Required response to any sign-in using a break-glass account: sign-in means either an emergency is occurring or the account has been compromised

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Every organization that deploys Conditional Access policies in Microsoft Entra ID needs break-glass accounts before they enable those policies. The lockout scenario is straightforward: an administrator enables a policy requiring MFA for all global admins, there is a bug in the policy that blocks all admin sign-ins, and now there is no way to disable the policy because every admin is blocked.

Break-glass accounts prevent this by existing outside the policy framework: they are never subject to CA policies, never subject to MFA requirements, and never federated through an IdP that could fail.

Account Configuration

Create two break-glass accounts:

Connect-MgGraph -Scopes "User.ReadWrite.All","RoleManagement.ReadWrite.Directory","Directory.ReadWrite.All"

# Generate strong passwords: 50+ character random strings
$password1 = [System.Web.Security.Membership]::GeneratePassword(64, 16)
$password2 = [System.Web.Security.Membership]::GeneratePassword(64, 16)

# Create account 1
$bg1 = New-MgUser -BodyParameter @{
  DisplayName = "Break Glass 01"
  UserPrincipalName = "breakglass01@yourtenant.onmicrosoft.com"  # Must use .onmicrosoft.com
  AccountEnabled = $true
  PasswordProfile = @{
    Password = $password1
    ForceChangePasswordNextSignIn = $false
  }
  PasswordPolicies = "DisablePasswordExpiration,DisableStrongPassword"
  UsageLocation = "US"  # Required for license assignment if needed
}

# Create account 2
$bg2 = New-MgUser -BodyParameter @{
  DisplayName = "Break Glass 02"
  UserPrincipalName = "breakglass02@yourtenant.onmicrosoft.com"
  AccountEnabled = $true
  PasswordProfile = @{
    Password = $password2
    ForceChangePasswordNextSignIn = $false
  }
  PasswordPolicies = "DisablePasswordExpiration,DisableStrongPassword"
}

# Assign Global Administrator role to both
$gaRole = Get-MgDirectoryRole -Filter "DisplayName eq 'Global Administrator'"
New-MgDirectoryRoleMemberByRef -DirectoryRoleId $gaRole.Id \
  -OdataId "https://graph.microsoft.com/v1.0/users/$($bg1.Id)"
New-MgDirectoryRoleMemberByRef -DirectoryRoleId $gaRole.Id \
  -OdataId "https://graph.microsoft.com/v1.0/users/$($bg2.Id)"

# Record the account IDs for use in Conditional Access exclusions
Write-Host "Break Glass 01 ID: $($bg1.Id)"
Write-Host "Break Glass 02 ID: $($bg2.Id)"

What NOT to do:

  • Do not assign licenses unless required: unlicensed accounts have fewer features to compromise
  • Do not register MFA methods: defeat the purpose
  • Do not add to any federated domain
  • Do not add to regular admin groups that might be included in sync to on-premises AD
  • Do not store credentials in the same password manager as normal admin accounts

Secure Credential Storage

Break-glass credentials must be accessible when all digital systems are potentially compromised or inaccessible.

Physical storage options (in priority order):

  1. Two separate physical safes in two locations: Password 1 in the IT manager's office safe, Password 2 in the CFO's office safe (or any two physically separate locations). Each envelope contains one password: access to both locations is required to compromise both accounts.

  2. Sealed physical envelopes with tamper-evident tape: Store in the safe. Date and initial the seal annually during testing. Any broken seal indicates unauthorized access.

  3. Hardware key escrow: Some organizations use a hardware security module (HSM) or Thales key ceremony approach where multiple key holders must be present to reconstruct the credential.

What NOT to do:

  • Store in LastPass, 1Password, or any cloud-based password manager (may be unavailable or compromised during the incident requiring break-glass access)
  • Store in a digital file on a corporate system (may be encrypted by ransomware or inaccessible during an identity incident)
  • Store both passwords with the same person

Annual rotation and testing:

# Rotate break-glass passwords annually
$newPassword = [System.Web.Security.Membership]::GeneratePassword(64, 16)
Update-MgUser -UserId "breakglass01@yourtenant.onmicrosoft.com" -PasswordProfile @{
  Password = $newPassword
  ForceChangePasswordNextSignIn = $false
}

# After rotation:
# 1. Update the physical envelopes
# 2. Shred the old credential documentation
# 3. Document the rotation in your change management system
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Conditional Access Exclusion and Monitoring

Exclude from all Conditional Access policies:

# Create a group for break-glass exclusions
$bgGroup = New-MgGroup -DisplayName "CA-Exclusion-Emergency-Access" \
  -MailEnabled:$false \
  -SecurityEnabled:$true \
  -MailNickname "CA-Exclusion-Emergency-Access"

# Add break-glass accounts to the group
New-MgGroupMember -GroupId $bgGroup.Id -OdataId "https://graph.microsoft.com/v1.0/users/$($bg1.Id)"
New-MgGroupMember -GroupId $bgGroup.Id -OdataId "https://graph.microsoft.com/v1.0/users/$($bg2.Id)"

# When creating any Conditional Access policy, add this group to Exclude:
# Users > Exclude > Groups: CA-Exclusion-Emergency-Access

Alert on any break-glass sign-in: this is critical:

Any authentication using a break-glass account is either an emergency or a breach. It must generate an immediate alert.

# Microsoft Sentinel: alert on break-glass sign-in
SigninLogs
| where UserPrincipalName in ("breakglass01@yourtenant.onmicrosoft.com", 
                               "breakglass02@yourtenant.onmicrosoft.com")
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, 
          Location, ResultType, ConditionalAccessStatus

# Create alert rule: fire immediately on any row matching this query
# Notification: page the security team, not just email (email may be unavailable during the incident)

Microsoft Entra ID built-in alerts:

Entra ID > Monitoring > Diagnostic Settings > Sign-in Logs
Send to: Log Analytics workspace (for Sentinel alerts)
OR
Entra ID > Protection > Identity Protection > Alerts
Configure alerts for specific user accounts

Annual test procedure:

Test break-glass accounts once per year to verify they work as expected:

  1. Retrieve credentials from physical storage
  2. Sign in to a non-production Azure portal session
  3. Verify Global Admin access is granted
  4. Verify Conditional Access did not block the sign-in
  5. Verify the sign-in alert fired and reached the security team
  6. Rotate credentials after testing (treat the test as credential exposure)
  7. Reseal and store new credentials

Document the test results in your security audit log.

The bottom line

Break-glass accounts are mandatory before enabling any Conditional Access policies that could lock out administrator access. Create two accounts using the .onmicrosoft.com domain (not federated), assign Global Administrator, disable password expiration, register no MFA, and store credentials in separate physical safes. Exclude them from all Conditional Access policies via a dedicated group. Configure immediate alerting on any sign-in: a break-glass sign-in means either an emergency is occurring or the account has been compromised. Test annually, rotate credentials after testing.

Frequently asked questions

What is a break-glass account in Azure AD / Entra ID?

A break-glass account is an emergency administrator account configured to bypass all Conditional Access policies and MFA requirements: providing admin access when normal authentication fails due to misconfigured policies, MFA provider outages, or federated identity failures. Microsoft recommends two per tenant. They must use the .onmicrosoft.com domain, have no MFA registered, have their credentials stored physically (not in cloud password managers), and trigger immediate alerts on any sign-in.

Why do you need break-glass accounts before Conditional Access?

Without break-glass accounts, a misconfigured Conditional Access policy that blocks all admin sign-ins creates a tenant lockout: no administrator can access the portal to fix the policy. Break-glass accounts are excluded from all CA policies so they always work regardless of policy configuration. Before enabling any CA policy that restricts admin access, you must have break-glass accounts in place and verified.

How many break-glass accounts do I need and what are the requirements?

Create two break-glass accounts per tenant as a minimum: if one account's credentials are lost or the account is accidentally locked, the second provides recovery. Requirements for each: use the tenant's .onmicrosoft.com domain (not federated identity — federation failures could lock you out); assign Global Administrator role; exclude from all Conditional Access policies; use a 20+ character random password stored in a physical safe (not a password manager); do not register any MFA methods; assign licenses only if required; and configure an alert to fire within 1 minute on any sign-in or activity from these accounts. Rotate passwords annually and test sign-in on both accounts at least quarterly.

How do I monitor break-glass account usage to detect unauthorized access?

Configure a real-time alert on all break-glass account activity: in Microsoft Sentinel, create an Analytics rule that fires on any sign-in or Azure AD audit event from the break-glass account UPNs; set the alert severity to Critical and the notification to page immediately (PagerDuty, SMS, or phone call). In Microsoft 365 Defender, create an alert policy under 'Alert policies' triggering on sign-in activity for the specific accounts. The alert must be routed out-of-band (not to email that requires Microsoft 365 access, which may be the reason break-glass is being used). Any use of a break-glass account that was not preceded by a documented emergency procedure should be treated as a breach investigation.

What is the difference between a break-glass account and a service account?

A break-glass account is a human emergency administrator account: it is used by a human during an emergency, has a complex password stored offline, and its use triggers immediate security alerts. A service account is used by automated processes (scripts, applications, scheduled tasks) to authenticate to services and APIs — it is used regularly, not exceptionally. Break-glass accounts are intentionally excluded from normal policy controls because emergency use must be possible even when those controls fail. Service accounts should be subject to normal controls (PIM, MFA where technically possible, conditional access). Never use a break-glass account as a service account: the emergency exemptions make it a high-value target if credentials are exposed.

How do I test that break-glass accounts will actually work during an emergency without triggering a false-positive incident response?

Schedule a formal quarterly test window coordinated with the security team so that the break-glass sign-in alert fires but is not escalated as an active incident. Before the test, notify all on-call responders with the test window time, the UPN of the account being tested, and the expected source IP. Retrieve the physical credentials from storage -- this validates both the credentials and the physical access process. Sign in to the Azure portal using the break-glass UPN, verify Global Admin role access is present, and confirm that no Conditional Access policy blocked the sign-in by checking the sign-in log for the session. After the test, rotate the password immediately (treat any credential use as exposure), update the physical envelope, and document the test outcome in your change management system including which team member retrieved the envelope and the sign-in timestamp. If the alert did not fire within two minutes, treat the monitoring gap as a P2 finding and fix the alert rule before the next test.

Sources & references

  1. Microsoft: Manage Emergency Access Accounts in Azure AD
  2. CISA: Identity and Access Management Best Practices Guide
  3. Microsoft: Conditional Access: Emergency Access Accounts

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.