How to set up a break glass account and why in Office 365

Arjan Cornelissen
active-directory, office-365, security
Page content

Let’s kick this post of what I mean with a break glass account.

What is a break glass account?

A break glass account is a non-personal in case of an emergency account that is never used and is stored in a vault where only a few people have access too. This account is a global admin on your tenant and in some sense is the top-level account of your environment.

Why do you need a break glass account?

This account can only be used if there are issues that cannot be resolved with the normal administrator accounts. Some examples are:

  • Your ADFS environment is down, and your employees cannot log in anymore, this account can then move the domain from federated to managed so your employees can work while you fix your ADFS environment
  • You have enabled Multi-factor authentication with conditional access, and Azure Multi-factor authentication service is down, you can temporarily disable this condition.
  • You have created an Azure AD Conditional Access policy that stopped you from accessing the environment, or you do not have any administrators left.

The best comparison with this account is that of the fire alarm in a building. After the account is used and the issues are resolved you change the password and is put back into the vault.

It is important to exclude this account from any conditional access policy and make sure it has standing Global Admin access.

How to setup

The setup is very easy; you create a new account in Azure Active directory like you normally would do and make sure you use @.onmicrosoft.com as the UserPrincipalName. You change the password to a complex 16 character (preferable generate) password and assign Global Admin to it.

If you are using the build-in Conditional Access policy “Baseline policy: Require MFA for admins (Preview)”, add this account to the exclusion list.