A break glass account is an emergency administrator account that gives an organization access to its critical IT systems when normal login methods fail. The name comes from the “break glass in case of emergency” idea on fire extinguisher cabinets. These accounts sit unused under tight security until a crisis hits, then provide a last-resort way to regain control of cloud platforms, identity systems, or other infrastructure that every other admin has been locked out of.
Why Organizations Need One
Modern IT environments rely on layers of security: multi-factor authentication (MFA), conditional access policies that restrict logins by location or device, and identity providers that verify who you are before granting access. These layers work well under normal conditions, but they also create a single point of failure. If the MFA service goes down, or a misconfigured policy accidentally blocks every administrator, or a key admin leaves and nobody has their credentials, the entire organization can lose access to the systems it depends on.
A break glass account is the safety net for exactly these scenarios. It bypasses the usual security controls so that at least one path into the system always exists. Common situations that trigger its use include:
- MFA outages: The authentication app or phone network is unavailable, and no admin can complete their login.
- Conditional access mistakes: A new security policy accidentally locks out all administrator accounts.
- Identity provider failures: The federated login system (like an on-premises Active Directory syncing to the cloud) stops working.
- Loss of personnel: The only person with admin credentials is unreachable, and urgent changes are needed.
Without a break glass account in any of these situations, an organization could be completely unable to manage its own cloud environment, reset passwords, or restore access for its workforce.
How a Break Glass Account Is Set Up
A break glass account is not a regular admin account that someone uses day to day. It is purpose-built to survive the exact failures it is meant to rescue you from, which means its configuration deliberately differs from standard accounts in several ways.
The account is typically assigned the highest level of administrative privilege, often called Global Administrator in platforms like Microsoft Entra ID (formerly Azure Active Directory). It needs this level of access because you cannot predict which specific system will need emergency intervention. The credentials are usually a very long, complex password, sometimes split into parts and stored in separate physical locations, such as sealed envelopes in different safes. Some organizations use FIDO2 hardware security keys (small USB or NFC devices) as the authentication method instead of or alongside a password.
Critically, the account is excluded from the conditional access policies and MFA requirements that apply to every other admin. This is the entire point: if MFA is the thing that broke, requiring MFA on the emergency account would defeat its purpose. The account also should not depend on a federated identity provider. It should be a cloud-only account so that an on-premises server failure does not take it down too. Most guidance recommends creating at least two break glass accounts so that one remains available even if something goes wrong with the other.
Monitoring and Alerts
Because break glass accounts carry enormous privileges and bypass normal security controls, any use of them needs to trigger an immediate alarm. Organizations set up monitoring so that the moment one of these accounts signs in, every relevant administrator gets notified by email, SMS, or push notification. The alert is configured at the highest severity level, meaning it is treated as a critical event that demands an instant response.
In practice, this monitoring works by feeding sign-in logs into a security tool that watches for activity from the specific emergency account IDs. If the tool detects a single login (the threshold is literally greater than zero), it fires the alert to a predefined group of people. Microsoft recommends tools like Azure Monitor or Microsoft Sentinel for this purpose, but the principle applies on any cloud platform: every sign-in from an emergency account should be visible and auditable.
This monitoring also serves as a tamper detection system. If someone uses the break glass account without authorization, the alert will expose that activity immediately.
What Happens After a Break Glass Account Is Used
Using a break glass account is not the end of the process. It kicks off a formal review. After the alert fires, the organization should preserve the sign-in and audit logs from the identity platform and any other systems the account touched. A review then examines what actions were taken during the emergency session to confirm they align with the authorized reason for using the account.
This post-use review serves two purposes. First, it verifies that the emergency was genuine and that the person who logged in did only what was necessary. Second, it identifies the root cause of the lockout so the organization can prevent it from happening again. After the review, the account credentials are typically rotated (changed to a new password or key) and re-secured in their physical storage location.
Ongoing Maintenance
A break glass account that has never been tested is a liability, not a safety net. Organizations should periodically verify that the account can still log in, that its credentials are correct, and that the monitoring alerts fire properly. A regular testing cadence, often quarterly, ensures the account will actually work when it is needed. This test also confirms that no one has inadvertently added the account to a conditional access policy or let the credentials expire.
Credential storage should be reviewed as well. If the password is stored in a physical safe, someone should confirm the envelope is still sealed and the safe is accessible. If a hardware security key is used, it should be tested to make sure the device still functions. The small time investment in periodic checks is far less costly than discovering during an actual emergency that the break glass account no longer works.
Break Glass Accounts Beyond the Cloud
While the term is most commonly associated with cloud identity platforms like Microsoft Entra ID and AWS IAM, the concept applies broadly. Any system where layered security controls could inadvertently block all administrators benefits from an emergency access path. This includes on-premises servers, network equipment, database platforms, and SaaS applications with their own admin consoles. The specifics of how you create and store the credentials vary by platform, but the core principles remain the same: minimal use, maximum privilege, physical credential security, real-time monitoring, and mandatory post-use review.
For smaller organizations without dedicated security teams, even a simple version of this concept adds resilience. Storing a secondary admin account’s credentials in a sealed envelope in a locked drawer, with an agreement that opening it triggers a phone call to the business owner, captures the spirit of break glass access without requiring enterprise-grade monitoring tools.