Best Practices for Break Glass Accounts in Microsoft Entra

At some point, regardless of size and sector, every administrator has encountered the frustrating challenge of being locked out of their admin account. Whether it’s MFA failures, forgotten passwords, or system outages, there are times when accessing Microsoft accounts becomes impossible, putting your organization at risk.

Microsoft Entra break glass accounts are designed to step in when the worst happens. These emergency access accounts provide you with tenant access, ensuring you’re never truly locked out. But, like any powerful tool, they must be used with caution. Knowing how to use a break glass account is essential to prevent the very lockout you’re trying to avoid.

In this blog, we’ll walk you through the best practices for break glass accounts, helping you stay prepared for any emergency.

Best Practices for Emergency Access Accounts in Microsoft Entra

Find the best practices for managing emergency access accounts in Microsoft Entra ID.

Create two emergency access accounts
Adopt strategic names for break glass accounts
Protect access with fallback domains
Create cloud-only break glass accounts
Configure complex and strong passwords
Disable password expiration for break glass accounts
Store emergency access credentials securely
Implement robust multi-factor authentication method
Exclude break glass accounts from Conditional Access policy
Avoid user specific associations in break glass accounts
Audit sign-in activities of break glass accounts
Assign ‘permanent active’ role in Privileged Identity Management (PIM)

1. Create Two Emergency Access Accounts

Redundancy is key when it comes to emergency access. By setting up two break-glass accounts in Entra ID, you ensure that if one account is inaccessible you still have a backup. Assigning a fallback ensures tenant access even during unexpected scenarios like a forgotten password, lost hardware token, or misconfigured policies in any of the admin accounts. These accounts don’t require licenses unless features like CA policies or PIM are involved.

2. Adopt Strategic Names for Break Glass Accounts

To further secure and manage emergency access accounts, avoid using obvious identifiers. Instead, opt for random yet human-like names to obscure the account’s purpose. Randomized names make it harder for attackers to identify the accounts during attacks, such as password spraying.

3. Protect Access with Fallback Domains

To prevent domain-based access issues, create break glass accounts with the *.onmicrosoft.com domain. If your organization relies on external systems (like federated identity providers), you might lose access if those systems are unavailable.

4. Create Cloud-Only Break Glass Accounts

When setting up break glass accounts, it’s crucial to make them cloud-only. For example, if the on-premises system experiences an outage, it could block access to critical cloud services, defeating the purpose of having emergency accounts.

5. Configure Complex and Strong Passwords

When setting up emergency access accounts in Microsoft Entra ID, it’s crucial to configure complex passwords that offer protection against potential security threats. To maximize security:

Use passwords that are at least 32 characters long.
Include a mix of uppercase and lowercase letters, numbers, and special characters.

This greatly enhances the complexity of the password, making it significantly harder for attackers to crack using common methods like brute force attacks.

6. Disable Password Expiration for Break Glass Accounts

Active break glass accounts are crucial for emergency access, so it’s vital to ensure their constant availability in the organization. To do this, configure the password to never expire to prevent lockouts during emergencies. Also, exclude the accounts from automated inactive user removal processes to avoid accidental deactivation.

7. Store Emergency Access Credentials Securely

After setting up your emergency access accounts, it’s essential to protect where you store the passwords or security keys. Here’s how you can do this effectively:

Using a Password Manager:

If you store emergency account credentials in a corporate password manager, carefully review who has access to the stored information.
Limit access to only authorized personnel and regularly audit permissions to prevent unauthorized access.

Storing Hardware Tokens:

If you’re using physical devices like FIDO2 security keys, store them securely in a location accessible only to authorized individuals.
Ensure the storage area is monitored and access is logged or audited to track any attempts to retrieve the devices.

8. Implement Robust Multi-Factor Authentication Method

To ensure emergency accounts remain secure even if passwords are compromised, implement strong MFA methods like phishing-resistant MFA or passwordless MFA.

Don’t use the same MFA method as the one used for regular admin accounts. This is to ensure that you can still access these accounts if something goes wrong with the usual MFA system. For maximum protection, consider using FIDO2 security keys.

9. Exclude Break Glass Account from Conditional Access Policy

Among the two emergency access accounts, one break glass account can be excluded from all CA policies to prevent from getting blocked during emergencies. Another account can be configured with the Conditional Access policy based on requirements. To assess how CA policies might impact users, use the Conditional Access What If tool in Microsoft Entra ID to simulate sign-in scenarios in real time.

10. Avoid User-Specific Associations in Break Glass Accounts

Emergency access accounts must not be tied to any individual in your organization. Avoid linking these accounts to employee-supplied devices like mobile phones, hardware tokens, or other personal credentials. This precaution ensures that emergency access to critical systems is not disrupted due to the unavailability of a specific employee.

Regular monitoring of sign-in activity and audit logs for emergency access accounts helps ensure their use is limited to actual emergencies. Organizations can use Microsoft Entra Sign-in logs to monitor sign-in activities effectively. You can also set up Microsoft alerts for break glass account sign-ins, ensuring timely notification of their activity. Additionally, perform regular reviews of audit logs to monitor and document any changes made using these accounts.

12. Assign ‘Permanent Active’ Role in Privileged Identity Management (PIM)

In Microsoft Entra Privileged Identity Management (PIM), emergency access accounts should have a permanently active Global Administrator role assignment rather than an ‘Eligible’ type. This guarantees that these accounts can access full admin privileges at any time without the need for role activation.

Securing your emergency access accounts is essential for maintaining control over your Microsoft Entra environment during unexpected situations. By following Microsoft 365 security best practices, you can strengthen your organization’s defenses, ensuring uninterrupted access when you need it most.

Don’t forget, implementing best practices for break-glass accounts is just one part of a larger security strategy. Admins must also follow best practices to secure Microsoft 365 admin accounts assuring comprehensive protection across your environment.