You are locked out of your house. Oh no!  Fortunately, you have a spare key hidden under your welcome mat. Wait a minute! If anyone finds the spare key, they can walk right in. Good thing you have a security system. If someone opens the front door an alarm sounds, and your security service is notified.

Imagine this same scenario in your Microsoft tenant. You may have made a mistake in your carefully planned Conditional Access Policy. You may have dropped your phone in the pool and lost access to your MFA device. Regardless of why you (and possibly all admins) have just lost access to your tenant.

Emergency Access Accounts (sometimes called Break Glass Accounts) are your spare key. They are cloud-only Global Admin accounts, excluded from Conditional Access Policies and MFA.

Manage emergency access admin accounts – Azure AD – Microsoft Entra | Microsoft Learn

Not enforcing MFA probably sounds risky. If someone discovers the password, they have access to your tenant. But just like your home, you have a security alarm. Anytime Emergency Access Accounts are signed into, an alert is triggered, and the security team is notified. If this sign-in is unexpected, action is taken (change the password, revoke sessions, block sign-ins, etc.).

If you don’t have an emergency access system in place, C2 specialists can assist. We can design and implement security hardening solutions customized for your organization. Reach out today. We’re ready to help.