Last Updated on August 13, 2025 by Arnav Sharma
Glass Break Accounts also known as emergency access accounts, are a failsafe, designed to ensure that administrators can always gain access to the Azure AD tenant, even when normal admin accounts canโt sign in due to an unforeseen event.
The Role of Break Glass Accounts in Microsoft Azure
A Break Glass account in Azure AD is a special type of administrative account that is intended for use in emergency scenarios where the regular MFA service is not operational, or when conditional access policies prevent standard sign-in procedures. These accounts are highly privileged and are typically excluded from policies that apply to non-emergency accounts.
Best Practices for Managing Emergency Access Accounts in Azure AD (Microsoft Entra ID)
When setting up Break Glass accounts, Microsoft recommends adhering to certain best practices to secure the account effectively:
Cloud-Only Accounts
- Why Cloud-Only? Cloud-only accounts are not affected by on-premises directory changes, ensuring uninterrupted emergency access.
- Best Practice Implementation: Create these accounts directly in the Azure portal, ensuring they remain entirely separate from any on-premises synchronization processes.
Exclusion from Policies
- The Need for Exclusion: To guarantee access during an emergency, Break Glass accounts must bypass Conditional Access and MFA.
- Best Practice Implementation: Place Break Glass accounts in an Azure AD group that is excluded from all Conditional Access policies and ensure they are not enrolled in MFA.
-
- Complexity and Security: Use complex passwords that are less prone to brute-force attacks and ensure they are securely managed.
- Best Practice Implementation: Utilize a password manager for generating and storing complex passwords, and set these accounts to have non-expiring passwords.
Limited Use
- Restricting Usage: Limit the use of Break Glass accounts to emergency situations only to prevent misuse.
- Best Practice Implementation: Establish and enforce policies detailing the specific conditions under which these accounts can be used.
Dual Accounts
- Redundancy is Key: Maintain at least two Break Glass accounts to ensure that one is always available if the other is compromised.
- Best Practice Implementation: Securely store credentials for multiple accounts in different locations and ensure they are both tested regularly.
Monitoring
- Proactive Oversight: Continuously monitor these accounts to detect unauthorized use and respond to alerts.
- Best Practice Implementation: Set up Azure Log Analytics to track account activity and configure Azure Monitor alert rules to notify designated personnel of any account usage.
Testing
- Ensuring Readiness: Regularly test Break Glass accounts to confirm they are operational and can provide access when needed.
- Best Practice Implementation: Include Break Glass account testing in routine security exercises, documenting each test and updating procedures based on the findings.
Azure AD Identity and Security Defaults
While Azure AD Security Defaults provide a robust level of security by enforcing MFA through methods like the Microsoft Authenticator app, Break Glass accounts must be able to bypass these controls. This is where Azure AD Identity Protection comes into play, allowing the configuration of these accounts to ensure they remain accessible in emergencies.
Monitoring with Azure Log Analytics and Microsoft Sentinel
To manage emergency access admin accounts effectively, it’s recommended to connect Azure AD sign-in and audit logs with a created Log Analytics workspace. This allows for comprehensive monitoring and analysis of Break Glass account usage. Additionally, integrating with Microsoft Sentinel can provide advanced threat detection and response capabilities.
Azure AD Break Glass accounts are a critical component of a resilient Microsoft Azure security strategy. They provide a necessary backdoor for administrators to use Azure AD and manage emergency situations effectively. By following the best practices for creating and managing these accounts, organizations can ensure that their Azure AD tenant remains secure and accessible, even in the most challenging circumstances.
Hi, you say that we should place the BGA into a Group and configure CAP and MFA for exceptions of this group.
But now one question comming along regarding Microsoft Plan to enforce all Accounts including BGA to use MFA.
I received following email from Microsoft:
=========================================================================================================
Action required: Enable multifactor authentication for your tenant by 15 October 2024
Youโre receiving this email because youโre a global administrator for 262d79a0-1366-4703-87ec-1859cac03aac
Starting 15 October 2024, we will require users to use multifactor authentication (MFA) to sign into the Azure portal, Microsoft Entra admin center, and Intune admin center. To ensure your users maintain access, youโll need to enable MFA by 15 October 2024.
If you canโt enable MFA for your users by that date, youโll need to apply to postpone the enforcement date. If you donโt, your users will be required to set up MFA.
Action required
โข To identify which users are signing into Azure with and without MFA, refer to our documentation.
โข To ensure your users can access the Azure portal, Microsoft Entra admin center, and Intune admin center, enable MFA for your users by 15 October 2024.
โข If you canโt enable MFA by 15 October 2024, apply to postpone the enforcement date.
Help and support
If you have questions, get answers from community experts inโฏMicrosoft Q&A. If you have a support plan and you need technical help, open the Azure portal and select the question mark icon at the top of the page.
=========================================================================================================
Regards, Jรผrgen