Break-Glass Accounts: Plain English Explanation

A manufacturing company in Pensacola called us on a Friday afternoon. Their IT person — the only one who knew the Microsoft 365 admin credentials — had just been let go. The password was on a sticky note on his monitor. The note was gone with him.

They couldn't access their email admin panel. They couldn't add new users. Their vendor couldn't finish a critical integration because nobody could approve the permissions.

This is exactly what break-glass accounts are designed for.

What this solves (in real business terms)

The scenario: Your only admin gets locked out of Microsoft 365 because they lost their phone with the authenticator app. Or they're on vacation in Colorado with no cell signal. Or they quit and didn't leave the password.

Without a break-glass account: You're calling Microsoft support, waiting 24-72 hours for account recovery, and your business is frozen in the meantime. During that window, you can't add users, can't change settings, can't respond to security incidents.

With a break-glass account: You open the safe, get the password, log in, fix the problem. Back to business in 15 minutes.

The name comes from emergency break-glass fire alarms — you only break the glass when the building is on fire.

What can go wrong

Using it for convenience. "MFA is annoying, let me just use break-glass for this one thing..." This defeats the entire purpose. No audit trail. Security tools flag it. If you're audited (cyber insurance, compliance), using a break-glass account for routine tasks looks like a control failure.

Never testing it. "We created it two years ago. Should be fine..." Password expired. Account disabled due to inactivity. Emergency happens, account doesn't work. You needed that safety net and it's rusted shut.

Storing the password poorly. Written on a sticky note under the keyboard. In a Google Doc called "Emergency Passwords." Emailed to yourself "so I can access it from anywhere." These are exactly where attackers look first.

Too many people knowing the password. If five people know the break-glass password, it's not a controlled emergency account — it's a shared secret that will eventually leak.

What it costs (honest ranges)

• Physical safe: $50-$150 one-time
• Password manager (if you don't have one): $0-$60/year for business plans
• Setup time: 45-60 minutes initially
• Quarterly test: 15 minutes (set a calendar reminder)
• Managed security provider: Usually includes this as part of $10-$30/user/month service

Vendor questions (copy/paste)

When setting up break-glass accounts with a vendor or consultant, ask:

1. "Where will the break-glass password be stored, and who will have physical access?"
2. "What happens when this account logs in — will we get an alert? Who receives it?"
3. "How often should we test this account, and do you include testing in your service?"
4. "If this account is used, how do we document it for audit purposes?"
5. "Can we use a password manager instead of a physical safe? What are the tradeoffs?"

Minimum viable implementation

Week 1: Create and secure the account

1. Create a new admin account named something obvious: emergency-admin@yourcompany.com or breakglass@yourcompany.com. Don't hide it — everyone should know this account exists and should never be touched during normal operations.

2. Generate a 20+ character random password. Use a password generator, not something you make up. Example: xK9#mP2$vL5@nQ8!

3. Assign the minimum necessary permissions. Global Administrator is common, but if you only need it for account recovery, consider a less privileged role.

4. Exclude from MFA enforcement. This is the critical step. If MFA is required for all users, this account can't be used when MFA is broken. Exclude this specific account.

5. Write the password on paper. Seal it in an envelope. Write the date on the outside.

6. Store in a physical location controlled by 1-2 owners — a locked office, a safe, a lockbox.

Week 2: Configure monitoring

1. Enable audit logging for this account in your Microsoft 365 / Google Workspace admin panel.

2. Create an alert rule: if this account logs in, send email AND text message to the owner immediately. Every single use should trigger an alert.

3. Test the alert by logging in once. Verify you get the notification.

4. Document: who has access to the physical envelope, what the alert procedure is, and when it was last tested.

Ongoing: Quarterly test

1. Log in with the break-glass account.
2. Verify the alert fires.
3. Change nothing — just log in and log out.
4. Update the "last tested" date in your documentation.

Every year: Rotate the password

1. Generate a new random password.
2. Update the paper in the envelope.
3. Update any other secure locations where you stored it (password manager emergency access, etc.).

When to hire help

DIY-friendly if:

• You have admin access to your current systems (Microsoft 365, Google Workspace)
• You can follow documented procedures
• You have a secure location to store the password (lockbox, safe, owner's office)

Get professional help if:

• You're in a regulated industry (healthcare, finance, government contracting) where audit trails are legally required
• You have more than 50 employees with complex role structures
• You're unsure whether your current admin accounts already function as break-glass accounts (they might — and that could be a problem)
• You want someone else to own the testing and rotation process