Skip to main content
Version: 2.0.1 (preview)

Configuring Emergency Access Accounts

Emergency access accounts (also known as "break glass" accounts) are highly privileged accounts that should be excluded from all Conditional Access policies to ensure you can always access your tenant in case of a lockout scenario.

Maester includes tests that verify your emergency access accounts are properly excluded from all Conditional Access policies. By configuring your emergency access accounts in the Maester configuration, these tests can validate that your specific accounts are correctly excluded.

Why Configure Emergency Access Accounts?

By default, Maester attempts to auto-detect emergency access accounts by looking for users or groups that are consistently excluded from all Conditional Access policies. However, explicitly configuring your emergency access accounts provides:

  • Accurate testing - Ensures the exact accounts you intend as emergency access are being validated
  • Clear documentation - Your configuration serves as documentation of your emergency access strategy
  • Support for multiple accounts - Define multiple users and groups as emergency access accounts

Configuration Format

Emergency access accounts are configured in the GlobalSettings section of your custom maester-config.json file.

Basic Structure

{
  "GlobalSettings": {
    "EmergencyAccessAccounts": [
      // Your emergency access accounts and groups
    ]
  }
}

Supported Parameters

Each entry in the EmergencyAccessAccounts array supports the following parameters:

ParameterRequiredDescription
TypeYesThe type of object. Must be either User or Group
IdNo*The Object ID (GUID) of the user or group
UserPrincipalNameNo*The UPN (email) of the user or group email address

* You must provide either Id or UserPrincipalName for each entry.

Configuration Examples

Single Emergency Access User (using UPN)

{
  "GlobalSettings": {
    "EmergencyAccessAccounts": [
      {
        "UserPrincipalName": "BreakGlass1@contoso.com",
        "Type": "User"
      }
    ]
  }
}

Single Emergency Access User (using Object ID)

{
  "GlobalSettings": {
    "EmergencyAccessAccounts": [
      {
        "Id": "00000000-0000-0000-0000-000000000001",
        "Type": "User"
      }
    ]
  }
}

Emergency Access Group

If you use a security group to manage your emergency access accounts, you can configure the group instead:

{
  "GlobalSettings": {
    "EmergencyAccessAccounts": [
      {
        "Id": "00000000-0000-0000-0000-000000000002",
        "Type": "Group"
      }
    ]
  }
}

Multiple Emergency Access Accounts

Microsoft recommends having at least two emergency access accounts. You can configure multiple users and groups:

{
  "GlobalSettings": {
    "EmergencyAccessAccounts": [
      {
        "UserPrincipalName": "BreakGlass1@contoso.com",
        "Type": "User"
      },
      {
        "UserPrincipalName": "BreakGlass2@contoso.com",
        "Type": "User"
      },
      {
        "Id": "00000000-0000-0000-0000-000000000002",
        "Type": "Group"
      }
    ]
  }
}
tip

When you configure both users and groups, Maester will verify that all configured accounts and groups are excluded from every Conditional Access policy.

Finding Object IDs

For Users

  1. Go to the Microsoft Entra admin center
  2. Navigate to Users > All users
  3. Search for your emergency access user
  4. Copy the Object ID from the user's overview page

Or use PowerShell:

Get-MgUser -UserId "BreakGlass1@contoso.com" | Select-Object Id, UserPrincipalName

For Groups

  1. Go to the Microsoft Entra admin center
  2. Navigate to Groups > All groups
  3. Search for your emergency access group
  4. Copy the Object ID from the group's overview page

Or use PowerShell:

Get-MgGroup -Filter "displayName eq 'Emergency Access Accounts'" | Select-Object Id, DisplayName

The following Maester tests use the Emergency Access Accounts configuration:

Test IDDescription
MT.1005All Conditional Access policies are configured to exclude at least one emergency/break glass account or group

Best Practices

  1. Use at least two emergency access accounts - Microsoft recommends having multiple break glass accounts in case one is compromised or unavailable.

  2. Use cloud-only accounts - Emergency access accounts should not be synchronized from on-premises Active Directory.

  3. Exclude from all Conditional Access policies - Ensure your emergency access accounts are excluded from ALL policies, not just MFA policies.

  4. Monitor emergency account usage - Set up alerts for when emergency access accounts are used.

  5. Test regularly - Periodically verify that your emergency access accounts can actually sign in and access critical resources.

Learn More