Break Glass & Emergency Access Accounts: AZ-500 Essentials

Why Break Glass Accounts Exist

If your Global Administrator accounts are all protected by MFA and your MFA provider goes down, you are locked out of your own tenant. Break glass (emergency access) accounts bypass normal authentication flows: they are the fire extinguisher behind the glass.

Account Setup Requirements

Break glass accounts must be:

• Cloud-only: Not synced from on-premises AD. If AD is down, synced accounts fail.
• Global Administrator role: Active assignment (not Eligible via PIM: you need access instantly).
• No MFA registered to a personal device: Use a FIDO2 hardware key or a phone number owned by the organization, stored securely (for example, a safe at company headquarters).
• Long, random password: 16 or more characters, generated and split across two envelopes held by two different executives.
• No license assigned: Break glass accounts do not need Microsoft 365 or Entra ID P2 licenses.

Conditional Access Exclusion

Every Conditional Access policy that could block access must explicitly exclude break glass accounts. The safest pattern: create an "Emergency Access Accounts" group, add both break glass accounts, and exclude this group from all CA policies. Exam trap: Excluding by user object directly is fine but fragile. Excluding by group is the recommended pattern because it scales and is easier to audit.

Monitoring

Break glass accounts should never be used in normal operations. Set up:

• Diagnostic settings to Entra sign-in logs to Log Analytics: Alert on any sign-in from break glass account UPNs.
• Microsoft Sentinel analytics rule: "Emergency account sign-in detected" with high severity and immediate notification.
• Quarterly review: Verify the accounts still exist, have the correct role, and that credentials are still accessible (not expired).