The day a Conditional Access policy locks out every admin, you have ten minutes to fix it before the executive team calls. The only way back in is an account you created months ago and never thought about again. If it does not work, you are rebuilding the tenant.

Break glass accounts are the cheapest insurance policy in cloud security. Most companies have them. Almost none test them. And in most tenants we audit, the insurance policy is misconfigured in ways that turn it into the breach itself.

What a break glass account actually is

A cloud-only Microsoft Entra ID account. Never synced from on-premises. Never tied to a personal device. Never used for daily work. Global Administrator. Excluded from Conditional Access. The one identity that can recover the tenant when everything else has failed.

Two of them. Not one. Owned by no single human. Stored in two physically separate safes.

Where it quietly breaks

Same MFA factor as everyone else. If the Authenticator service is degraded, your break glass account using Authenticator is degraded with it. The only acceptable factor is a FIDO2 hardware key, stored offline, with a tested backup.

Synced from on-prem. Hybrid identity teams sync them by accident. A bad Connect sync deletes them. Cloud-only or nothing.

Not excluded from Conditional Access. The policy that locked everyone out includes the break glass account. The insurance policy is now part of the fire.

Stale credentials. Passwords are 14 months old. Hardware keys ran out of battery. The person who wrote down the recovery codes left the company two restructures ago.

No alerting on use. A sign-in from a break glass account should page the entire security team. In most tenants, it pages nobody.

What to do this quarter

Stand up two cloud-only Global Admin accounts with long random passwords. Store them offline, in two separate physical safes, owned by two different people. Issue two FIDO2 hardware keys per account. Document an explicit exclusion from every Conditional Access policy, and revisit those exclusions every time a new policy ships.

Test annually. Pick a quiet weekend. Sign in with both accounts. Rotate passwords. Replace batteries. Log every step.

Alert on use. Any sign-in from these accounts pages the on-call security engineer immediately. The only acceptable reason to use them is a real outage. Anyone else signing in is someone who got into your safe.

Why this keeps slipping

Identity teams set up break glass accounts on day one of a tenant. Then ownership moves. Conditional Access policies tighten. MFA gets enforced. Token lifetimes get shortened. Nobody re-tests the accounts, because the break glass account is the one thing nobody wants to touch.

The directory drifts. The insurance policy expires quietly. You only find out the day you need it.

SecValley CSPM flags the misconfigurations that strand break glass accounts: missing Conditional Access exclusions, on-prem sync, stale credentials, missing sign-in alerts, and weak authentication methods. Part of 500+ controls across Microsoft 365, Microsoft Entra ID and Azure.

The identity you hope never to use is the one you have to test the most.