Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Break glass accounts exist for moments like this
“My entire Microsoft 365 organisation is down. I can’t even log in as the admin.”
This was the cry for help from a sysadmin whose tenant became completely inaccessible due to a misconfigured MFA policy. Microsoft Teams? Down. SharePoint? Inaccessible. Admin centre? Locked out. Even the global admin account was stuck in an MFA loop.
The root cause? A Conditional Access policy enforcing Microsoft Authenticator without first ensuring that admin accounts had it set up. The result: total lockout.
The worst part? It’s easily avoidable.
This article will explain what happened, why it’s becoming more common, and how to protect your organisation using Microsoft’s own recommended best practice: break glass accounts.
Don’t forget to follow my Youtube channel Control Alt Delete Tech Bits here
What Are Break-Glass Accounts?
Break glass accounts are emergency access accounts with the Global Administrator role. They’re configured to be:
- Excluded from all Conditional Access and MFA policies
- Used only in emergencies
- Monitored continuously
Their purpose is to ensure that if your main admin accounts are ever locked out due to an MFA misconfiguration, Conditional Access policy failure, or security enforcement bug, you have a way back in.
Without them, your only recovery path is through Microsoft Support, which can take hours or longer, depending on verification and support availability.
Recent Updates(2025)
Microsoft now strongly recommends having at least two emergency access accounts.
- These accounts should be cloud-only (not synced or federated)
- They must be excluded from all automated risk-based policies
- Microsoft also emphasises monitoring and alerting as a critical part of break glass account hygiene
Why This Is Happening More Often
Microsoft is pushing MFA harder than ever. From October 2024, Microsoft will block admin portal access for any account not using strong authentication. This means:
- Security Defaults are being enabled by default in new tenants
- Legacy protocols are being phased out
- MFA is now mandatory for all admins in most tenants
Admins unaware of these changes, or who apply Conditional Access too aggressively, are accidentally locking themselves and their users out.
How to Set Up a Break Glass Account in Microsoft Entra ID
Follow these steps to create a break-glass account correctly:
- Create the Account
- In Entra ID, go to Users > New User
- Name it clearly, e.g. Breakglass01
- Set a strong, complex password (minimum 16 characters). Store this securely, offline
Assign the Global Administrator Role
- Go to Roles and administrators > Global Administrator > Add assignment
- Add the new user
Exclude the Account from Conditional Access Policies
- For each policy, add an exclusion for this account
- Alternatively, create a named group for break glass accounts and exclude the group
Exclude from MFA
If you’re using Security Defaults: you cannot exclude anyone. Disable Security Defaults and use Conditional Access instead
If you’re using Conditional Access: explicitly exclude the break glass account from all policies requiring MFA
Disable User Risk Policy and Sign-In Risk Policy for This Account
- Go to Microsoft Entra ID > Identity Protection
- Adjust policies to exclude the break glass account to avoid accidental blocking
Do Not Use This Account for Daily Administration
- Never use break glass accounts for routine tasks
- Sign-ins should be rare, and if they occur, should trigger an alert
Monitor Account Activity
- Set up a log alert in Microsoft Sentinel, Defender for Cloud Apps, or Entra ID to notify if the break glass account is used
- Alternatively, use Azure Monitor or custom Logic Apps to trigger email alerts
Review and Test Periodically
- Verify access quarterly
- Ensure the password is stored and retrievable securely
- Simulate a lockout scenario to ensure it works
Restrict Login to a Trusted Location
- Create a Conditional Access policy that allows sign-in only from a specific IP or location
- Exclude the account from all other policies but apply this one
- Use a trusted location
Lockouts like the one described on Reddit are becoming more common. As Microsoft tightens identity protection, admin access must be managed carefully.
Having at least two break glass accounts, properly excluded from Conditional Access and MFA, is a simple, effective safeguard.
Security is about more than blocking threats, it’s also about ensuring availability. In Microsoft 365, a locked tenant helps no one.
Take action now. Set up your break glass accounts before you need them.
