Break-Glass Accounts Management

Break-Glass Accounts Management

Break-Glass Accounts Management

Why Break-Glass Accounts Are Important

Break-glass accounts (also known as emergency access accounts) are critical components of any Azure AD (Microsoft Entra ID) identity governance strategy. These accounts serve as a safety net when normal administrative access is unavailable due to unforeseen circumstances. Without break-glass accounts, an organization could be completely locked out of its own tenant, leading to catastrophic operational failures.

Consider scenarios such as:
- A Conditional Access policy misconfiguration that blocks all administrator sign-ins
- Multi-factor authentication (MFA) service outages affecting all admin accounts
- The last Global Administrator leaving the organization or being unavailable
- A federated identity provider (such as AD FS) going offline, preventing federated admin sign-ins
- A mobile device network outage rendering MFA unusable for all administrators

In each of these scenarios, break-glass accounts provide the only reliable path back into the tenant.

What Are Break-Glass Accounts?

Break-glass accounts are highly privileged emergency access accounts that are:

- Cloud-only accounts: They are not synchronized from on-premises Active Directory and do not rely on federated identity providers. They use the *.onmicrosoft.com domain to ensure they are independent of any custom domain or federation configuration.

- Permanently assigned the Global Administrator role: These accounts hold the highest level of privilege in the tenant so they can remediate any configuration issue.

- Not tied to any individual person: They are organizational accounts, not associated with a specific employee. This prevents loss of access when someone leaves the organization.

- Excluded from Conditional Access policies: At least one break-glass account should be excluded from all Conditional Access policies, including those requiring MFA, device compliance, trusted locations, and session controls. This ensures access even when Conditional Access is the root cause of a lockout.

- Rarely used: These accounts should never be used for day-to-day administration. They are reserved exclusively for true emergencies.

How Break-Glass Accounts Work

The management of break-glass accounts follows a carefully structured process:

1. Account Creation
- Create at least two break-glass accounts to provide redundancy.
- Use the *.onmicrosoft.com domain (e.g., BreakGlass1@contoso.onmicrosoft.com).
- Assign the Global Administrator role permanently (not through Privileged Identity Management eligible assignments, as PIM itself could be the point of failure).
- Use extremely long, complex passwords (e.g., 16+ characters, randomly generated).
- Consider configuring at least one account without MFA to ensure access during MFA outages, while the other may use a FIDO2 security key or other MFA method that does not depend on a phone or federated provider.

2. Password Management
- Split the password into two or more parts and store each part in a separate, secure, fireproof location (e.g., separate safes in different physical locations).
- Ensure that at least two people are required to assemble the full password (separation of duties).
- Do not store break-glass account passwords in the same system as regular passwords.
- Passwords should not expire — configure these accounts to be exempt from password expiration policies.

3. Exclusion from Conditional Access Policies
- Exclude at least one break-glass account from every Conditional Access policy, including policies that require MFA, compliant devices, trusted locations, or risk-based sign-in controls.
- This is perhaps the most critical configuration step. If these accounts are subject to Conditional Access, they may be blocked in the exact scenario where they are needed.

4. Monitoring and Alerting
- Configure Azure Monitor or Microsoft Sentinel to detect and alert whenever a break-glass account signs in.
- Create alert rules in Azure AD sign-in logs that trigger immediate notifications (email, SMS, or SIEM integration) when these accounts are used.
- Regularly review audit logs for any unexpected activity from these accounts.
- Use Azure AD log analytics to monitor sign-in activity continuously.

5. Regular Validation and Testing
- Periodically test the break-glass accounts (e.g., every 90 days) to ensure they still work, passwords are valid, and the accounts have not been inadvertently disabled or modified.
- Document and log each test.
- Validate that Conditional Access exclusions remain in place after any policy changes.
- Ensure the Global Administrator role assignment is still active.

6. Governance and Documentation
- Maintain a documented procedure for when and how to use break-glass accounts.
- Define who is authorized to use them and under what circumstances.
- Keep a record of every usage event, including the reason, duration, and actions performed.
- After each use, immediately change the password and re-secure it.

Best Practices Summary

- Create at least two break-glass accounts for redundancy
- Use cloud-only accounts with the *.onmicrosoft.com domain
- Permanently assign the Global Administrator role (do not use PIM eligible assignments)
- Exclude from all Conditional Access policies
- At least one account should not require MFA (or use a hardware-based method independent of phone networks)
- Use long, complex, randomly generated passwords
- Split and secure passwords in separate physical locations
- Monitor all sign-in activity with automated alerts
- Test regularly (every 90 days)
- Document usage procedures and maintain audit trails
- Do not associate with any individual user
- Do not use for daily administration

Exam Tips: Answering Questions on Break-Glass Accounts Management

Tip 1: Cloud-Only is Key. If a question asks about the account type for emergency access, always choose cloud-only accounts using the *.onmicrosoft.com domain. Never select federated accounts or synced accounts.

Tip 2: Conditional Access Exclusion. Any question about securing against lockout scenarios will likely involve excluding break-glass accounts from Conditional Access policies. If an answer option mentions excluding an emergency account from all CA policies, this is almost certainly correct.

Tip 3: At Least Two Accounts. Microsoft recommends a minimum of two break-glass accounts. If you see an answer suggesting one account, it is likely incorrect unless the question specifically asks about minimum requirements with additional context.

Tip 4: Permanent Role Assignment. Break-glass accounts should have the Global Administrator role permanently assigned, not as an eligible assignment through PIM. If PIM goes down or there is a service issue, eligible assignments may not be activatable.

Tip 5: MFA Considerations. At least one break-glass account should not depend on phone-based MFA. Look for answers mentioning FIDO2 security keys or no MFA requirement. If a question describes an MFA outage scenario, the correct answer involves using an account not dependent on the affected MFA method.

Tip 6: Monitoring is Non-Negotiable. Questions about governance and compliance around break-glass accounts will emphasize monitoring and alerting. Look for answers involving Azure Monitor alerts, Microsoft Sentinel, or sign-in log monitoring.

Tip 7: Scenario-Based Questions. The SC-300 exam frequently presents scenarios where administrators are locked out. When you see a lockout scenario (CA misconfiguration, federation failure, MFA outage), think break-glass accounts first. The correct answer will typically involve using or creating an emergency access account that bypasses the failing component.

Tip 8: Password Storage. If asked about password management for break-glass accounts, look for answers involving physical separation (split password, multiple safes, multiple authorized personnel). Digital-only storage or single-location storage options are usually incorrect.

Tip 9: Do Not Confuse with Service Accounts. Break-glass accounts are not service accounts, managed identities, or shared admin accounts used for daily operations. They are specifically for emergency scenarios only.

Tip 10: Validation and Testing. If the exam asks what should be done periodically for emergency access accounts, the answer involves testing sign-in capability, validating role assignments, and confirming Conditional Access exclusions remain in place.