Break Glass Accounts and Lockout Risk

Several Optimize365 controls harden authentication and access policies in your Microsoft 365 tenant. While critical for security, some of these controls can lock administrators out of the organization if emergency access accounts are not properly configured beforehand.

What Are Break Glass Accounts?

Break glass (emergency access) accounts are cloud-only accounts with permanent Global Administrator privileges, designed for scenarios where normal admin accounts cannot sign in. Common causes include MFA outages, conditional access misconfigurations, federated identity provider failures, or the departure of a key administrator.

Microsoft recommends every tenant maintain at least two such accounts. This is verified by Optimize365 control 1.1.2 (“Ensure two emergency access accounts have been defined”).

Controls That Carry Lockout Risk

The following controls modify authentication or access policies that could prevent all administrators from signing in if break glass accounts are not in place or not excluded from affected policies:

Remediating any of these without functioning break glass accounts can result in a full tenant lockout, with recovery requiring a Microsoft support case .

How Optimize365 Helps

When you open any of the controls listed above, Optimize365 checks the result of control 1.1.2 to determine whether emergency access accounts are configured. You will see one of three statuses:

• Configured — 1.1.2 is passing. You can proceed, but always verify the accounts are excluded from the policies you are about to change.
• Not configured — 1.1.2 is failing. Address this before remediating the control.
• Cannot validate — 1.1.2 was not included in the current scan. Manually verify your emergency access accounts before proceeding.

Setting Up Break Glass Accounts

Account Requirements

• Cloud-only — Use the *.onmicrosoft.com domain. Do not sync these from on-premises AD or use a federated domain.
• Permanent Global Administrator — Assign the role directly, not through PIM eligible activation , so the accounts work even if PIM itself is unavailable.
• Non-obvious naming — Avoid names like breakglass@ or emergency@. Use randomized, human-sounding names to reduce exposure to password spray attacks.
• Not tied to any individual — These accounts should not be associated with any specific employee, personal phone, or personal device.

Authentication

Microsoft now enforces MFA on all admin portal sign-ins. Break glass accounts must be registered with a phishing-resistant method:

• FIDO2 security keys (recommended) — Purchase at least two keys per account. Store them in separate, physically secure locations accessible to authorized personnel. See Microsoft’s FIDO2 guidance .
• Certificate-based authentication — An alternative if FIDO2 keys are not practical. See Configure CBA in Entra .

Do not rely on SMS or phone call MFA for these accounts — those methods can fail during the same outages that trigger a break glass scenario.

Password Policy

• Use a passphrase of at least 32 characters.
• Set the password to never expire.
• Split the password into parts and store each part separately (e.g., two halves in two different safes or vaults).
• Exclude the accounts from any automated inactive user cleanup processes.

Conditional Access

Exclude at least one break glass account from all conditional access policies. This is the entire point of these accounts — they must bypass every policy that could block sign-in. Control 5.2.2.7 specifically checks for this exclusion group.

For detailed steps, see Manage emergency access accounts - Microsoft Entra .

Further Reading

• Manage emergency access admin accounts - Microsoft Learn 
• Plan your Conditional Access deployment - Microsoft Learn 
• Plan for mandatory MFA in Entra - Microsoft Learn 
• Secure access practices for administrators - Microsoft Learn