When I discuss security with customers, I often try to help them rank important tasks to put into their security strategy. As you know, MFA and Conditional Access policies are very important security features for improving identity protection but they can be unmerciful when it comes to miss-configuration.
However, before you start implementing these powerful solutions you need to have an emergency plan if anything goes wrong. There are many reasons why every organizations must have a break glass routine in place for there Azure AD and Office 365 tenant. Just imagine what would happen if every user and every administrator lost access. It would, of course, be devastating and cause a lot of pain and plenty of lost production.
I’ve talked about break glass accounts in Azure AD before and the same principles still apply. Microsoft has their recommendations as well.
This post is a template or a suggestion on how a basic break glass routine can look. Your organization might have another variant of this but if you don’t, this is the minimum policy that I believe everyone should have in place. Feel free to use this and modify it to match your organization. And remember to practice your break glass routine!
— Template Start —
Break Glass Routine for Azure AD/Office 365
ORGANIZATION NAME
DATE
Introduction
Identity protection solutions such as Conditional Access and MFA are key security features to protect your organization from identity-based attacks in Azure AD and Office 365. However, it is important to have an emergency plan in place in case any of these features would lock out users and administrators due to misconfiguration or downtime. There are also other key identity infrastructure services such as Azure AD Connect, federation, DNS, and custom domains that can break and cause major concerns for authentication against Azure AD.
This document describes the organization’s Break Glass Routine that allows global administrators to login to admin portals and other tools in the event of operational problems for troubleshooting and remediation purposes.
The routine must only be used in case of emergency!
Break Glass Accounts
There are two special “Break Glass” accounts in the organization. These accounts may be used for an emergency sign-in in the Azure Portal and other administration portals for debugging and operations:
| Username – Account 1 | CUSTOMER-17283@CUSTOMER.onmicrosoft.com |
| Username – Account 2 | CUSTOMER-83927@CUSTOMER.onmicrosoft.com |
These accounts have been assigned the global administrator role and has passwords that are long and complex and that nobody in the organization should have knowledge of. The passwords are stored in two sealed envelopes in a safe place (see routine).
These accounts have the following properties to reduce dependencies to different functions and infrastructure:
- Global Admin (not PIM enabled)
- Password Never Expires
- No MFA
- Excluded from all Conditional Access policies
- Cloud-only (not synced from on-prem AD)
- Does not use federated login
- Does not use custom domain (has a *.onmicrosoft.com address)
System owner for Azure AD
The system owner for Azure AD should always be notified before activating the Break Glass routine.
| System owner | Name |
List of Approved Admins
Only approved global administrators in the following list are authorized to use these break glass accounts and only in an emergency.
| Name | Phone | |
Break Glass Routine
In case of an emergency, the routine is carried out according to the following steps:
- The system owner for Azure AD is notified of the situation and that a break glass account will be used.
- The account password is retrieved from secure storage (fireproof safe) and the end envelope is broken.
- Login with username and password is performed against https://portal.azure.com.
- Troubleshooting and remediation.
- The password is again placed in a sealed envelope and stored in its secure location again.
- System owner is notified that the routine is completed.
This routine should be practiced regularly (every 90th day).
Monitoring of Break Glass Accounts
The break glass account is monitored with alerts and all global admins receive email alerts during account activity. When an alert is triggered, the cause must be examined, and the account may need to be renamed and the password changed.
Guidelines from Microsoft
Manage emergency access accounts in Azure AD:
— Template End —
You can download a Microsoft Word version here:
TEMPLATE – Break Glass Routine for Azure AD
And a password template for the sealed envelopes here:
TEMPLATE – Break Glass – Password
Please follow me here, on LinkedIn and on Twitter!
Daniel Chronlund Cloud Security Blog 
Great article! Question though: Is there some sort of global conditional access exclusion you can set? Seems to me someone could accidentally add a conditional access to all users and forget to exclude the break-glass and now you’re locked out.
Hi Daniel. Is there a reason why password rotation is not part of the break glass routine?
Hi! Yes, password rotation is a bad idea for all accounts, not just break glass accounts.
See current Microsoft recommendations: https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide
Monitor your break glass accounts instead and rotate passwords when a potential threat is detected, not on a schedule. The same goes for all user accounts.