Cyber Intelligence
Identity & Access · 30% of exam

L5. Break Glass & Emergency Access

Course outlineLesson 5 of 18

Break glass accounts are your last resort when all normal admin access fails. The AZ-500 exam tests setup, monitoring, and how to exclude them from Conditional Access without creating a security hole.

Why Break Glass Accounts Exist

If your Global Administrator accounts are all protected by MFA and your MFA provider goes down, you are locked out of your own tenant. Break glass (emergency access) accounts bypass normal authentication flows: they are the fire extinguisher behind the glass.

Account Setup Requirements

Break glass accounts must be:

  • Cloud-only: Not synced from on-premises AD. If AD is down, synced accounts fail.
  • Global Administrator role: Active assignment (not Eligible via PIM: you need access instantly).
  • No MFA registered to a personal device: Use a FIDO2 hardware key or a phone number owned by the organization, stored securely (for example, a safe at company headquarters).
  • Long, random password: 16 or more characters, generated and split across two envelopes held by two different executives.
  • No license assigned: Break glass accounts do not need Microsoft 365 or Entra ID P2 licenses.

Conditional Access Exclusion

Every Conditional Access policy that could block access must explicitly exclude break glass accounts. The safest pattern: create an "Emergency Access Accounts" group, add both break glass accounts, and exclude this group from all CA policies. Exam trap: Excluding by user object directly is fine but fragile. Excluding by group is the recommended pattern because it scales and is easier to audit.

Monitoring

Break glass accounts should never be used in normal operations. Set up:

  • Diagnostic settings to Entra sign-in logs to Log Analytics: Alert on any sign-in from break glass account UPNs.
  • Microsoft Sentinel analytics rule: "Emergency account sign-in detected" with high severity and immediate notification.
  • Quarterly review: Verify the accounts still exist, have the correct role, and that credentials are still accessible (not expired).
Exam Focus Points
  • Break glass accounts must be cloud-only (not AD-synced) and have an Active (not Eligible) Global Admin role
  • MFA credential must be org-owned (hardware key or org phone): never a personal device
  • Exclude break glass accounts from ALL Conditional Access policies: use an exclusion group, not individual users
  • Alert on any sign-in activity from break glass UPNs via Entra Diagnostic Settings to Log Analytics
  • Conduct quarterly verification: account exists, role is assigned, credentials are accessible
Knowledge Check

1. Why should break-glass accounts use cloud-only authentication rather than federated or hybrid identity?

2. How should break-glass account sign-in activity be monitored?

3. Which of the following is the recommended authentication method for a break-glass account?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.

Start AZ-500 prep free10-day free trial available