When MFA Fails - How to Manage a Break Glass Procedure


You’ve probably spotted break-glass points or boxes in a building. Usually, smashing the glass allows quick access to a fire alarm activation mechanism. Well, a break glass procedure in Azure AD serves a similar purpose. It provides for controlled access to high-privilege accounts and resources, and it lets users access those assets in emergencies where regular administrative accounts are inaccessible.

A break glass procedure can save the day in several ways depending on the environment in question. It can facilitate access to global admin accounts when Multi-Factor Authentication (MFA) fails. It can also give non-privileged users emergency access to healthcare information systems, such as when an assistant needs to sign in to an ePHI system during a disaster.


Here are some typical break glass scenarios:

MFA required accounts: In this case, administrators need MFA to verify their identity and activate a role. They have to undergo verification by a phone call or text message, but this is not possible because of a cellular network outage. If an organization has authentication override protocols for use in such an emergency, system admins can “smash the glass” and activate the desired roles.

Privileged Account Management (PAM): A typical PAM system locks privileged admin credentials in a highly secure vault. Access to the vault could be lost in several scenarios, making it impossible to retrieve credentials for admin accounts. If the only admin who could access the password vault left the organization, or a distributed denial of service (DDoS) attack kept everyone out, an emergency break glass protocol would provide an alternative way into the system.

Emergency ePHI access: The loss of security credentials for ePHI accounts can interrupt patient care in case of an emergency. With a break-glass mechanism in place, an unprivileged or visiting caregiver can access a locked account and activate a high-level administrative role.


Setting Up Cloud-Only, Emergency Access Accounts

Two or more of these are enough to get you started with a break glass procedure for office 365. The accounts should have no link to on-premises systems, and only individuals allowed to use them should be privy to their respective credentials.

Password Security

Protect an emergency access account password by splitting it into two or more pieces. Write each part on a separate piece of paper and lock it in a different, fireproof safe. Only during a break-glass event may an admin bring the split credentials to the same place at the same time.

Bear in mind that an employee keeping a secret password known only to them may not always be on call to help with your break-glass protocols. As such, don’t tie an emergency access account or credential to a specific personal device that an individual employee is using.

Initial Configuration Options

You could assign permanent global administrator roles to Office 365 users whom you can trust with the highest level of security clearance, primarily if your organization does not use Azure AD Premium P2. To guard against a breach in case of password theft, subject all the privileged admins to MFA.

On the other hand, an organization that uses Azure AD Premium P2 may opt to set up several users as activators of the global administrator role. In that case, the privileged admins will be sharing devices and infrastructure, and they’ll have to complete MFA before accessing any emergency break-glass account.

If only employee-linked personal devices are available in your company, be sure MFA is not a prerequisite for activating privileges in break-glass accounts.


Windows 365The whole point of break glass is that you can see that the glass has collapsed. So, you need to continually keep an eye out for any logins or system operations associated with break glass accounts as these are usually dormant, except during an emergency. Configure the system to sound the alarm in case of suspicious account activity. Review all incidents.

Here’s how frequently you should audit your emergency access accounts:

  • Every three months (90 days): Do this even if there has not been a security breach in the recent past.
  • After any change in IT personnel: For example, you have to update break-glass account credentials when an employee who has them leaves your organization.
  • After an upgrade or downgrade of Azure AD subscription: Any such change impacts how you can assign the global administrator role to users. Also, it has a bearing on how you may implement MFA for all admins.
  • After a break glass procedure: You may have to take a hard look at the nitty-gritty of the entire emergency processes.

Here’s what to audit in the break-glass accounts:

  • Signing in: Are the emergency account credentials working? Are users able to exercise the anticipated admin privileges after signing in?
  • Alerts: Are notifications working as anticipated after a user logs into the account? Can you track all account activities?
  • Users: Do users understand the prerequisites for triggering a break-glass procedure? Do they know where to start after getting locked out of their regular, top-tier admin accounts? Staff training can help close all identified knowledge gaps. Likewise, be sure to determine what system administration structure works best for your organization in the event of MFA failure. Do you need to add or remove some privileged users?
  • Multi-Factor Authentication: Deactivate MFA for any break-glass account tied to a personal device, such as a smartphone. Emergency access will likely fail if such a device is unavailable, for example, when its owner is out of reach. If MFA is mandatory, be sure there is a shared device that all eligible admins can access in an emergency to complete authentication procedures and activate the required roles. Ascertain that MFA devices can connect to the internet in multiple, different ways, such as via WiFi and a cellular data network. This way, MFA still works in case one of the gadget’s internet access modes fails.
  • Credentials: Create new split passwords for the break-glass accounts.

Any organization that uses Azure AD should devise a foolproof plan for accessing global account admin roles during an MFA failure. If you need help with security and compliance, including how to establish Break Glass Procedures for your company, give us a call

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

How can we help?


Let's start a conversation

location Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

telephone-icon + 1 (619) 292-0800 mail-icon Sales@AgileIT.com

Don’t want to wait for us to get back to you?