Break-Glass Accounts That Fail During Real Incidents
And why most organizations only notice this problem when it’s already too late.When an incident hits, break-glass accounts are supposed to save you.No MFA loops.
No Conditional Access lockouts.
No dependency on a broken identity plane.
Yet in real incidents, break-glass accounts fail far more often than people admit. (Gentles et al., 2025)
The idea itself isn’t the problem. The real issue is that implementations are often lazy, untested, and based on too many assumptions.
Let’s talk about why break-glass accounts fail exactly when you need them most.
The uncomfortable truth
Most organizations create break-glass accounts to satisfy a checklist, not to survive an outage.
- Account exists
- Excluded from Conditional Access
- Password stored “somewhere safe.”
And then… no one touches it again.
This works until Entra ID policies fail, MFA providers go down, or a bad Conditional Access change locks out every admin, including you.That’s when reality hits.
Failure #1: MFA is disabled — but the account is still unreachable
Disabling MFA is not enough.
Common real-world blockers:
- Sign-in risk policies still apply
- User risk policies still apply
- Legacy CA policies target All Users
- Authentication strength policies override exclusions
Result:
The break-glass account exists… but still can’t sign in.
If your break-glass account depends on any risk evaluation, it is not a break-glass account.
Failure #2: Password stored securely — but not accessible
Security teams love vaults.
Incident response hates them.
Real incidents look like this:
- Vault access requires SSO
- SSO requires Entra ID
- Entra ID is the thing that’s broken
In the end, your emergency account is locked away right when you need it most.
Rule:
A break-glass password must be:
- Offline
- Human-accessible
- Recoverable under stress
If it requires another identity system, it will fail.
Failure #3: Account exists — but is blocked or disabled
This happens more than anyone admits. (Security operations for privileged accounts in Microsoft Entra ID, 2024)
- “Block sign-in” toggled during cleanup
- Account auto-disabled due to inactivity
- License removed and forgotten
- Sign-in is restricted by tenant-wide settings
No alerts.
No warnings.
There is only silence until it suddenly matters.
Failure #4: Roles are wrong (or gone)
Break-glass accounts often start out strong but gradually become less effective over time.
- Global Admin removed during least-privilege cleanup
- PIM applied “temporarily.”
- Role eligibility expired
- Admin roles are split across multiple accounts
During an incident, PIM approvals don’t work and notifications don’t arrive.
If your break-glass account:
- Requires activation
- Requires approval
- Requires another admin
it has already failed.
Failure #5: No one has tested it — ever
This is the biggest failure of all.
Ask yourself honestly:
- When was the last successful login?
- From a clean device?
- Outside your corporate network?
- Without cached sessions?
- Without MFA?
For most tenants, the answer is never. (Security operations for privileged accounts in Microsoft Entra ID, 2024)If you have never tested your break-glass account, it only provides a false sense of security.
What actually works in real incidents
High-maturity tenants do a few things differently:
1. Two break-glass accounts (not one)
- Different passwords
- Different authentication paths
- Different storage locations
Having only one break-glass account is as risky as having none at all. (Manage emergency access admin accounts - Microsoft Entra ID, 2024)
2. Absolute minimal policy surface
- Excluded from all Conditional Access
- No risk policies
- No authentication strength enforcement
- No device requirements
It might not look pretty.
But it is effective.
3. Permanent roles, no PIM
Break-glass accounts are not meant for everyday admin tasks.
Permanent Global Admin
No activation
No approvals
No dependencies
4. Offline password handling
Examples that work:
- Sealed envelope in a physical safe
- Split custody (two executives, two halves)
- Offline password manager not tied to SSO
If Entra ID is down, you must still be able to read the password.
5. Scheduled testing (and alerts)
At least:
- Quarterly sign-in test
- Alert on any sign-in attempt
- Alert on password change
- Alert on role change (Microsoft Entra ID Security Baseline: Best Practices 2025, 2025)
A break-glass account should remain inactive until there is a real emergency.
The mindset shift
Break-glass accounts are not:
- “Just another admin”
- “Set it and forget it.”
- “A compliance requirement”
They are incident response tooling.
And like any tool you rely on during a crisis:
- You test it
- You maintain it
- You assume it will be needed at the worst possible moment
Because it will be.
Final thought
Most identity outages aren’t caused by attackers.
They’re caused by well-intentioned admins locking themselves out. (Widespread Microsoft Entra Lockouts Disrupt Organizations Globally – April 2025, 2025)When that happens, your break-glass account is the difference between:
- a 10-minute recovery
- and a multi-hour business-impacting outage
Test your break-glass account now, so you don’t discover problems when it’s too late.
Written by Jaspreet Singh — Microsoft identity & security practitioner. Author at ITBlogs.ca. Lab notes and testing at f11.ca.
References
Gentles, J., Fields, M., Goodman, G. & Bhunia, S. (2025). Breaking the Vault: A Case Study of the 2022 LastPass Data Breach. arXiv preprint. https://doi.org/10.48550/arXiv.2502.04287
(2024). Security operations for privileged accounts in Microsoft Entra ID. Microsoft Entra | Microsoft Learn. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
(2024). Security operations for privileged accounts in Microsoft Entra ID. Microsoft Entra | Microsoft Learn. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
(2024). Manage emergency access admin accounts - Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access
(2025). Microsoft Entra ID Security Baseline: Best Practices 2025. LA NET Azure. https://lanet.co.uk/blog/microsoft-entra-id-security-baseline/
(April 19, 2025). Widespread Microsoft Entra Lockouts Disrupt Organizations Globally – April 2025. ZeroDaily. https://www.zerodaily.me/blog/2025-04-20-microsoft-entra-mace-lockout