Emergency access accounts provide a controlled recovery path when ordinary Microsoft 365 administrators cannot sign in because of an outage, lost authentication method, policy error, or compromise.
Why Tenant Lockout Happens
A Microsoft 365 tenant can become difficult or impossible to administer when the only Global Administrator loses an authentication device, a Conditional Access policy blocks all administrators, a federated identity provider fails, credentials expire, or a security incident affects normal admin accounts.
Emergency access accounts, sometimes called break-glass accounts, are designed to preserve a separate path into Microsoft Entra and Microsoft 365 administration during these failures.
Maintain At Least Two Accounts
Microsoft currently recommends at least two emergency access accounts for redundancy. One account may be unavailable because of a lost credential, damaged security key, accidental deletion, or an account-specific issue.
The accounts should not be assigned to one employee's everyday identity. Record the authorized custodians, access process, business owner, technical owner, and review dates.
Emergency access is a resilience control
The accounts exist for rare recovery situations and controlled testing, not for normal administration or troubleshooting convenience.
Use Cloud-Only Identities
Use the tenant's onmicrosoft.com domain so emergency accounts do not depend on a custom domain, on-premises directory synchronization, federation, or another external identity provider.
A cloud-only account reduces the chance that the same outage affects both ordinary administrators and the recovery account.
Assign Permanent Active Global Administrator
Emergency accounts need sufficient privilege to recover the tenant. Microsoft guidance calls for permanent active Global Administrator assignment rather than an eligible Privileged Identity Management role that might require another unavailable process to activate.
Document why the broad role is necessary and prohibit routine use.
Use Different Strong Authentication
Use phishing-resistant authentication that does not depend on the same methods used by normal administrators. Microsoft examples include FIDO2 security keys or certificate-based authentication.
Avoid dependence on an employee's personal phone, ordinary Microsoft Authenticator registration, or a device that may be unavailable during the emergency.
Do not make recovery depend on the failed system
An emergency account is not resilient when it requires the same identity provider, phone, network, or device as the administrators who are locked out.
Prevent Credential Expiration
Ensure emergency credentials, devices, certificates, and security keys do not expire or become subject to automated cleanup because of inactivity.
Record renewal dates and assign an owner for replacement before expiration. A recovery account that exists only on paper does not protect the tenant.
Exclude Blocking Conditional Access Policies
Exclude emergency access accounts from Conditional Access policies that block or restrict sign-in. A policy requiring a compliant device, selected location, or unavailable authentication method could make the account unusable during the exact event it is intended to solve.
Report-only policies do not block sign-in and do not require the same exclusion. Use a dedicated security group for emergency accounts so exclusions are visible and consistent.
Protect the Exclusion
The exclusion should not become a reason to use the account routinely. Strong authentication, secure storage, monitoring, designated workstations, limited custodians, and immediate review of every use are essential compensating controls.
Review policy scope after every Conditional Access change to confirm the emergency group remains excluded where required.
Use a Secure Administrative Workstation
Emergency access should occur from a designated, secured workstation or privileged-access environment. Keep the device updated, encrypted, monitored, and protected from ordinary browsing and email.
Document where the workstation is located, who can access it, how it is tested, and what alternative is available if the facility is unavailable.
Store Credentials Separately
Store credentials and security keys in secure, separate physical locations available to authorized people. Microsoft guidance references secure, fireproof storage.
Avoid placing both account credentials, both security keys, and the procedure in one office or one password vault that depends on Microsoft 365 sign-in.
Document Authorized Custodians
Identify who can retrieve and use each emergency account. Require at least two authorized people where practical so no one individual controls the complete process.
Record identity verification, approval, retrieval, use, return, and post-use review. Limit documentation access without hiding the procedure from legitimate responders.
Monitor Every Sign-In
Configure monitoring for sign-in and audit activity from emergency accounts. Send notifications to multiple administrators through channels that remain available if Microsoft 365 email is affected.
Microsoft documents options such as Azure Monitor, Microsoft Sentinel, or other monitoring tools. The important outcome is that every use produces a prompt investigation.
Monitor Audit Activity
Review role changes, Conditional Access changes, authentication-method changes, domain changes, user changes, application consent, and other actions performed during an emergency session.
Record the incident, reason for access, person using the account, start and end time, actions taken, and evidence retained.
Validate At Least Every 90 Days
Microsoft currently recommends validating emergency access account functionality at least every 90 days. A validation should confirm sign-in, authentication, Global Administrator access, Conditional Access exclusion, workstation availability, monitoring, and credential retrieval.
Use a controlled test and avoid making unnecessary tenant changes. Record the test result and corrective actions.
Test After Policy Changes
Revalidate emergency accounts after significant Conditional Access changes, authentication-method changes, domain changes, federation changes, administrator turnover, or security incidents.
A quarterly test is not enough when a major policy change occurred yesterday.
Create a Tenant Lockout Runbook
The runbook should identify:
- Conditions that justify emergency access
- Who can authorize access
- Credential and key retrieval
- The secure workstation
- Sign-in and validation steps
- How to identify the blocking condition
- Safe rollback procedures
- Microsoft support escalation
- Communication methods
- Post-incident review and credential rotation
Plan for Common Lockout Scenarios
Test the procedure against situations such as a lost administrator phone, a Conditional Access policy targeting all users, unavailable federation, an expired certificate, a disabled normal administrator, and a security incident affecting privileged accounts.
Identify dependencies that remain outside the emergency account, including internet access, domain name services, device availability, and Microsoft service health.
Rotate After Use
After an actual emergency, review every action and determine whether credentials, keys, certificates, or authentication registrations should be replaced.
Correct the root cause, update the runbook, restore normal administrative controls, and verify that temporary policy changes were removed.
Do Not Use Emergency Accounts for Daily Work
Daily use makes unusual activity harder to detect and exposes the account to ordinary phishing, browsing, and administrative mistakes.
Create appropriate normal administrator accounts with least-privilege roles for ongoing work.
Emergency Access Checklist
- Maintain at least two emergency access accounts.
- Use cloud-only onmicrosoft.com identities.
- Assign permanent active Global Administrator.
- Use different phishing-resistant authentication.
- Prevent credential and device expiration.
- Exclude accounts from blocking Conditional Access policies.
- Use a dedicated emergency-access group.
- Use a secured administrative workstation.
- Store credentials in separate secure locations.
- Alert on every sign-in and audit event.
- Validate functionality at least every 90 days.
- Complete a post-use review and rotation.
Frequently Asked Questions
How many emergency access accounts should a tenant have?
Microsoft currently recommends maintaining at least two accounts for redundancy.
Should emergency accounts be excluded from all Conditional Access policies?
Exclude them from policies that block or restrict sign-in. Report-only policies do not block access and do not require the same exclusion.
Can the accounts use an employee's phone?
Microsoft recommends avoiding employee-supplied devices and using strong authentication that differs from normal administrator methods.
When Professional Support Helps
Professional support can create the accounts, configure authentication, review Conditional Access exclusions, build monitoring, test the runbook, and document tenant lockout recovery.
Need help applying this?
Implement Microsoft 365 security with confidence.
J3 Systems Group LLC can implement Conditional Access, email protection, emergency access, monitoring, application consent controls, and supporting security procedures.