O365 Admin

Emergency Access Accounts in Entra ID | Break-Glass Guide

Published 17 March 2026 · 7 min read

Emergency access accounts (break-glass accounts) are a critical safeguard in every Microsoft 365 tenant. If your MFA provider goes down, Conditional Access locks everyone out, or admin accounts are compromised, these accounts let you get back in. Every organisation using Entra ID should have two configured, tested, and stored securely.

Contents

Why you need break-glass accounts
Create the accounts
Configure correctly
Exclude from CA policies
Monitor for usage
Test regularly

Why you need break-glass accounts

Scenarios where break-glass accounts save you:

Microsoft Authenticator goes down and all admins are blocked by MFA requirements
A misconfigured Conditional Access policy locks everyone out
All admin accounts in a group are accidentally deleted
A federated identity provider fails and sign-in stops working

⚠️

Do not skip this

Organisations that have not configured break-glass accounts have been permanently locked out of their tenants. Microsoft cannot help you recover access once all admin accounts are inaccessible.

Create the accounts

Create two accounts with:

Use the .onmicrosoft.com domain (not your custom domain)
Name them e.g. breakglass1@contoso.onmicrosoft.com
Assign Global Administrator role permanently (not via PIM)
Do not associate with any real person
Generate a 30+ character random password and store it offline

Configure correctly

⚙️

Break-glass account configuration

Domain

@yourtenant.onmicrosoft.com only

MFACannot use MFA if MFA provider is the problem

No MFA registered

Password

30+ character random - stored offline

Role

Global Administrator - permanent active not PIM eligible

Exclude from CA policies

Every Conditional Access policy that could block sign-in must exclude break-glass accounts. Create an Exclusion group containing both accounts and exclude from all MFA, risk, location, and compliance policies.

Monitor for usage

Set up an alert to trigger immediately if either break-glass account signs in. Any sign-in is either a genuine emergency or a compromise.

// Sentinel KQL - add as Scheduled Alert
SigninLogs
| where UserPrincipalName in ("breakglass1@contoso.onmicrosoft.com","breakglass2@contoso.onmicrosoft.com")
| project TimeGenerated, UserPrincipalName, IPAddress, Location

Test regularly

Test break-glass accounts every 90 days: sign in from a private browser, confirm Global Admin access works, confirm the sign-in triggers your monitoring alert, sign out immediately, and record the test date in your IT documentation.

Frequently Asked Questions

Q: How many break-glass accounts do I need?

Two accounts across two different Global Admin role assignments. Having two covers you if one is somehow unavailable.

Q: Where do I store break-glass credentials?

Store credentials offline in at least two physical locations - a sealed envelope in a safe. Never store them only in a digital system that requires the Microsoft account to access.

Q: Should break-glass accounts have MFA?

No. The point of break-glass accounts is to work when normal authentication including MFA is unavailable.

Related Guides

-> Enable PIM -> Conditional Access -> Why MFA Matters

// need intune set up properly?

Fixed-price Intune setup for UK businesses

App deployment, compliance policies, Conditional Access, and full documentation at a fixed price.

View Packages

Emergency Access Accounts in Entra ID | Break-Glass Guide

Why you need break-glass accounts

Create the accounts

Configure correctly

Exclude from CA policies

Monitor for usage

Test regularly

Frequently Asked Questions

Get M365 tips in your inbox