Don’t Get Locked Out: Why Every Organization Needs Emergency Access Accounts

When systems fail—or when administrators suddenly lose access—the ability to regain control quickly can determine whether your nonprofit continues delivering essential services or faces major disruption. Emergency Access Accounts (also known as break‑glass accounts) give you a crucial safety net, ensuring your team can restore services, manage users, and adjust security settings even when normal admin access is unavailable.

This updated guide explains why these accounts are vital, how to configure them correctly, and how nonprofits can secure them within Microsoft Entra ID.

Why Emergency Access Accounts Matter

In our previous discussion, we highlighted that resilience starts with preparation. If your primary admin accounts become locked out due to MFA issues, Conditional Access misconfigurations, outages, or human error, break‑glass accounts are your only guaranteed path to recovery.

To function safely and effectively, these accounts must be:

• Highly secure
• Isolated from daily operations
• Able to bypass standard access controls
• Protected with passwordless authentication (Passkeys/FIDO2, certificates, Windows Hello)

And every organization—nonprofit or otherwise—should maintain at least two for redundancy and continuity.

Best Practices for Nonprofits Creating Emergency Access Accounts

Before setting up a break‑glass account, review these nonprofit‑aligned security practices:

1. Use Non‑Obvious Naming

Avoid predictable names like "breakglass" or "emergencyadmin."
Use neutral, coded names known only to trusted administrators.

2. Create Cloud‑Only Accounts

Do not sync these accounts from on‑premises directories.
Cloud‑only accounts remain available even if local infrastructure goes down.

3. Don’t Assign Licenses

Licenses add unnecessary exposure.
Break‑glass accounts should not use email, Teams, or any cloud workloads.

4. Don’t Link the Account to a Real Person

These accounts belong to the organization, not an individual.
Avoid personal MFA methods like individual phones or emails.

5. Enforce Strong Password Standards

• 32‑character complex password (minimum)
• Rotate securely twice per year
• Do not reuse passwords
• Store them under a tightly governed, documented process

6. Disable Password Expiration

If passwords auto‑expire, the account can break at the worst time.
Rotate manually under a secure, audited process.

7. Exclude From Conditional Access Policies

Break‑glass accounts must still work even when Conditional Access doesn’t.
Exclude them from any policy that might block sign‑in.

8. Assign Permanent Global Administrator Role

Emergency accounts need always‑on permissions.
Do not use PIM‑eligible roles or time‑restricted activation.

How to Create an Emergency Access Account in Microsoft Entra ID

Step 1 — Create the Account

1. Open Microsoft Entra Admin Center.
2. Navigate to Entra ID → Users → All users.

    

3. Select + New user → Create new user.

    

4. Use the .onmicrosoft.com domain.
5. Ensure Account enabled is selected.

    

6. Set the Usage location.

    

7.  

      7. Assign the Global Administrator role.

      8. Review and create.

Repeat the steps to establish a second emergency account as needed.

Step 2 — Enable Passwordless Authentication

Break‑glass accounts should always be secured using passwordless methods:

• Passkeys (FIDO2)
• Certificate‑based authentication (CBA)

How to Enable FIDO2 Passkeys

1. Go to: Entra ID → Security → Authentication methods → Policies → FIDO2 Security Key

    

2. Enable FIDO2 if not already enabled and click Save.

    

How to Enable Certificate‑Based Authentication (CBA)

Step 1 — Upload Your Certificate Authority

1. Entra Admin Center → Entra ID → Certificate authorities
2. Upload your Root CA

    

3. Mark as Root CA (if applicable)
4. Add any intermediate CAs
5. Provide the CRL (Certificate Revocation List) URL for revocation checks
   1. This is required so Entra can check for revoked certificates

Step 2 — Turn on Certificate‑Based Authentication

1. Go to: Entra ID → Authentication methods → Policies
2. Choose Certificate‑based authentication

    

3.  

        3. Switch Enable → On

        4. Under Include, target only your break‑glass accounts

Conclusion

Emergency access accounts aren’t just a security measure—they’re an operational safeguard that protects your mission. When the unexpected happens, these accounts ensure your organization can recover quickly and continue serving your community.