Don't Be Vulnerable - The Necessity of Having Emergency Access Accounts

 Don't Get Locked Out!

Nonprofit organizations face unique challenges when it comes to managing their Microsoft accounts. Limited budgets and allocations require for stringent measures when adopting new software. More importantly, nonprofits handle sensitive data such as Personal Identifiable Information (PII), Protected Health Information (PHI), and financial information just to name a few. Maintaining privacy and security is of the utmost importance and violations of these standards can come with steep penalties and erode trust. Being locked out, can spell disaster and leave your organization vulnerable to attack. Which is why it is imperative to have a Emergency Access Account.

What Are Emergency Access Accounts?

Emergency Access (Break Glass) Accounts are high-privilege, cloud-only accounts created to ensure administrators can access your tenant during identity-related outages, misconfigurations, or Conditional Access lockouts. Emergency accounts play a pivotal role in safeguarding financial security and ensuring uninterrupted access to critical resources during times of crisis. Whether it’s a natural disaster, a cyberattack, or an internal administrative challenge, having a well-structured emergency account strategy allows organizations to maintain operational stability and protect the communities they serve. It is recommended to have at least two emergency access accounts.

A Break Glass Accounts ensures that authorized personnel can regain control promptly and mitigate further risks or operational downtime. Microsoft has been steadily enforcing Multifactor Authentication in Azure, Microsoft Admin portals, and Office 365 in phases since 2024. Phase 1 rolled out officially around October 2024 within Azure Portal, Microsoft Entra Admin Center, and Intune Admin Center. 

Common Scenarios Organizations Face

• Privilege Roles Left Organization: The sole Global Administrator or Billing Administrator has left the organization.
• Privilege Roles are Eligible and Not Active: Global Administrator or Privilege Role Administrators were configured to be eligible which needs approval. Therefore, no approval can be given and now the account is locked out.
• Federated Accounts with Identity Providers: Federated devices through identity provider and can't access Microsoft Entra ID for authentication.
• Cellular Network outage for Authentication: Cellular network is down or natural disaster impacting authentication since only authentication method is using SMS phone authentication.

Emergency Access Accounts Prevent

• Ensures access during emergencies when standard methods are compromised.
• Prevents delays in critical activities like payroll and funding allocation.
• Mitigates risks from technical failures, such as system outages.
• Safeguards operational stability during crises like cyberattacks or natural disasters.
• Allows authorized personnel to promptly regain control and minimize downtime.

These scenarios leave the organization, potentially leaving access credentials in limbo. This could delay critical activities like payroll, funding allocation, or payments to service providers. Similarly, technical failures such as system outages or inaccessible online platforms can hinder account access, disrupting ongoing projects and community services. Moreover, scenarios are just some of the challenges that nonprofits face. Creating preventative measures help minimize downtime.

Beware of Phishing 

Setting up phishing-resistant Multifactor Authentication (MFA) for emergency access accounts is an essential step in keeping your organization secure during critical situations. Below is a list of the different types of phishing that target accounts.

Types of Phishing

• Business Email Compromise (BEC): is a targeted cybercrime involving the impersonation of a trusted person or organization to manipulate victims into transferring money, sharing sensitive information, or granting access to systems. 

• Whaling: A specialized form of phishing that targets high-ranking individuals, such as executives or decision-makers, within an organization. 

• Email Phishing: A widespread form of phishing where attackers send deceptive emails pretending to be legitimate organizations or individuals to trick recipients into sharing sensitive information, such as passwords, credit card details, or downloading malicious software. 

• Spear Phishing: A targeted phishing attack using personalized messages to trick specific individuals or organizations into sharing sensitive information or performing actions like wire transfers. 

• Clone Phishing: A phishing technique where attackers duplicate legitimate emails previously sent by trusted sources, replacing links or attachments with malicious ones to deceive recipients into sharing sensitive information or installing malware. 

• Voice Phishing (Vishing): A phishing method where attackers use phone calls to impersonate trusted entities, such as banks or government agencies, aiming to extract sensitive information like account details or personal data from victims. 

• SMS Phishing (Smishing): A phishing attack using deceptive text messages that impersonate trusted entities, such as banks or service providers, to trick victims into sharing sensitive information or clicking malicious links. 

As phishing techniques grow more sophisticated and pervasive, the need for dynamic security measures becomes paramount. Phishing-resistant Multifactor Authentication (MFA) serves as a vital defense mechanism by incorporating multiple layers of verification, making unauthorized access significantly more challenging. By moving beyond traditional passwords, MFA ensures that even if credentials are compromised, attackers face additional barriers to breach systems, mitigating risks and fortifying overall security. 

Phishing Resistant Authentication Methods

An authentication method is a security mechanism used to verify the identity of a user before granting access to systems or resources. It may involve techniques such as security keys, certificates, biometrics, or passkeys, ensuring secure and often password-less access while minimizing risks of unauthorized entry and phishing.

Phishing Resistant MFA

• Passkeys (FIDO2): Fast IDentity Online 2 (FIDO2) is the second iteration of password-less protocol used as an authentication method within the Microsoft authentication app or a FIDO2-compatible USB device to securely log into systems without relying on passwords. These keys are ideal for desktop computers (Work Identities/ Managed Devices) and servers requiring physical access.
• Certificate-Based Authentication: Certificate-Based Authentication (CBA) in Microsoft Entra ID uses digital certificates to verify user identity. Instead of passwords, it relies on cryptographic keys within certificates issued by trusted Certificate Authorities (CAs). This method enhances security by preventing phishing and impersonation since certificates are difficult to duplicate.
• Widow Hello for Business/ Platform Credential: Windows Hello for Business/Platform Credentials is a secure, multi-authentication method replacing traditional passwords. It uses biometrics like fingerprints, facial recognition, or a PIN tied to the device, ensuring only authorized access.

As phishing techniques grow more sophisticated and pervasive, the need for dynamic security measures becomes paramount. By using authentication methods like Passkeys for security keys or app-based authenticators, phishing-resistant MFA helps block unauthorized access attempts, even when sophisticated phishing techniques are at play. This ensures that emergency accounts remain safe and accessible only to authorized personnel, allowing them to respond quickly and confidently without risking sensitive data or systems.

Requirements & Considerations  

• Passkeys can be used with the Microsoft Authentication App (Currently in Preview) and FIDO2 USB Security Keys. However, it is critical that you complete the multifactor authentication steps within 5 minutes before you can register a Passkey (FIDO2). 

• Make sure your FIDO2 Security key is Microsoft & FIDO2 compliant. Learn more about it here attestation and compliance here: Microsoft Entra ID attestation for FIDO2 security key vendors - Microsoft Entra ID | Microsoft Learn. 

• Emergency accounts can be used across various platforms, including Windows, macOS, Linux, iOS, and Android, ensuring cross-platform accessibility during critical situations. 

• Passkey (FIDO2) must comply with Attestation GUID (AAGUID) standards to ensure enhanced security and compatibility with trusted systems. 

Conclusion

Emergency access accounts are not a luxury—they are a necessity. For nonprofits, which are often targets of cyber threats and face limited resources to respond, having a contingency plan is mission critical. These accounts serve as a lifeline during emergencies like identity lockouts, outages, or cyberattacks. By following the best practices outlined in this guide, nonprofits can dramatically reduce downtime, maintain access to donor and client data, and continue operations seamlessly even when adversity strikes.

Planning, documenting, securing, and testing these accounts ensure you’re prepared for the unexpected. Implementing these safeguards today could be what protects your organization tomorrow.

What’s Next?

In our next blog, we’ll walk through how to create an Emergency Access Account in your Microsoft Entra ID tenant, step-by-step. We’ll cover naming conventions, secure password practices, how to create an emergency access account, and more—so your nonprofit can be prepared for anything.

Stay tuned!

Hyperlinks 

• Manage emergency access admin accounts - Microsoft Entra ID | Microsoft Learn 
• Password-less sign-in with Authenticator - Microsoft Entra ID | Microsoft Learn 
• Microsoft Entra ID attestation for FIDO2 security key vendors - Microsoft Entra ID | Microsoft Learn 
• Enable passkeys in Authenticator for Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn 
• Phishing resistant authentication in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn