Introduction
Admin lockout scenarios in Microsoft Entra ID can arise due to various factors, including Conditional Access (CA) misconfigurations, password issues, or MFA failures. Such situations can leave administrators locked out of their tenant, leading to an operational crisis.Before seeking assistance from Microsoft support or a partner with GDAP access, you can leverage a Break Glass Access Application to regain access and resolve tenant admin lockout issues.
This blog provides a step-by-step guide on creating and securing an emergency access application while implementing proper monitoring and security controls to prevent misuse.
Emergency Access Scenarios & Mitigation Strategies
Depending on the nature of the emergency scenario, specific measures must be followed based on the tenant’s existing configurations.
Password or MFA Issues: If regular admin accounts are inaccessible due to password or MFA-related problems, an emergency access account (if properly maintained) can be used for recovery.
Conditional Access Misconfigurations: If a misconfigured Conditional Access (CA) policy applies to all accounts, including Emergency Access Accounts, it can result in a complete admin lockout—especially in cases where a restrictive policy, such as a blanket block, is enforced(CA Policy Targeted to All Users Not Workload Identities, for Block).
Note: Without a Break Glass Application registered for tenant recovery, the only viable solution would be to contact Microsoft Support for assistance in regaining access.
Using the Break Glass App Registration: If CA misconfiguration locks out all administrators, or Normal Admin accounts and Emergency Access accounts were lost the roles(Due to Admin Error, PIM Related issues) this App Registration method can be leveraged to regain access without needing immediate external assistance.
Note: If your tenant has an Entra Workload Identities license and has implemented policies that block service principal access based on location or service principal risk, then this method may not be effective as the access will be blocked. However, CA policies misconfigured for users generally do not impact service principal access.
Configuring an Emergency Access App Registration
Below are the configuration steps to set up an emergency access app.
Login to the Entra Admin Center, navigate to App Registrations, and click on New Registration.
For the Break Glass Access Application, I have named it Xavier-App (Avoid using names that indicate high privilege or admin access to maintain security and prevent unwanted attention)
Directory.ReadWrite.All – Full read/write access to directory resources.
Policy.ReadWrite.ConditionalAccess – Read and modify Conditional Access policies.
RoleManagement.ReadWrite.Directory – Manage directory role assignments.
User.ReadWrite.All – Read and update all user profiles.
UserAuthenticationMethod.ReadWrite.All – Manage authentication methods for all users.
These permissions enable an administrator App to modify users, adjust CA policies, authentication methods and reassign roles if an emergency occurs.
Now our Emergency Access Application is ready for testing
Note: Avoid locking yourself out of your tenant during testing. Instead, validate the functionality of this application using the test cases below:
- Test Conditional Access (CA) Policy Adjustments using the Emergency Access Application.
- Create a new admin account using Emergency Access App and verify access to the Entra Admin Center.
- Reset authentication methods for an existing admin account.
- Reissue a Temporary access Pass for admin password recovery or new authentication registrations.
Recovery Steps If Locked Out
If you are locked out of your tenant, try these steps before reaching out to Microsoft Support or a partner with GDAP access:
Option 1: Attempt to sign in using an Emergency Access Account. If the account is active and its password and MFA are functioning as expected, and there are no Conditional Access policies or Privileged Identity Management (PIM) restrictions blocking its usage, you should be able to regain access successfully.
Option 2: Use the Emergency Access App (Xavier-App) to modify Conditional Access policies or reset credentials. If you have already created an App Registration with the previously mentioned permissions, and the application credentials are accessible to you, ensure that no Conditional Access policies are blocking the usage of the Service Principal or Workload Identities.
Emergency Access App (Xavier-App) Test Cases
Test Case 1: Adjust Conditional Access (CA) Policies Using the Emergency Access Application
If a Conditional Access (CA) policy misconfiguration has locked out admin access, use the Emergency Access Application (Xavier-App) to modify or disable the restrictive policy and restore administrative access.
Step 1: Connect to Microsoft Graph PowerShell using the Application Client ID and Certificate Thumbprint
This step is common for all test cases. Use the following approach to authenticate and establish a connection:
# Define variables
$AppId = "<Your_Application_ClientID>"
$TenantId = "<Your_Tenant_ID>"
$CertThumbprint = "<Your_Certificate_Thumbprint>"
# Connect to Microsoft Graph using certificate-based authentication
Connect-MgGraph -ClientId $AppId -TenantId $TenantId -CertificateThumbprint $CertThumbprint
Run this command to get the CA list
Get-MgIdentityConditionalAccessPolicy |Format-List
Now, if you need to disable the CA policy that locked the admin account, you can use the command below after identifying the ConditionalAccessPolicyId from the previous step:
$params = @{
displayName = "<Policy name>"
state = "disabled"
}
Update-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId "<Policy ID>" -BodyParameter $params
After Running the CA Policy disable Command
You can find more Conditional Access (CA) Policy Graph PowerShell syntax here for reference.
Test Case 2: Create a New Admin Account Using the Emergency Access App (Xavier-App) and Verify Access to the Entra Admin Center
Use the Emergency Access App (Xavier-App) to create a new admin account and confirm that it has the necessary permissions to access the Entra Admin Center successfully.
Assuming you have already connected to Microsoft Graph PowerShell using the command from Test Case 1, you can proceed with the next steps.
Use the command below to create a new Entra ID account with a password and assign the Global Administrator role to it.
$PasswordProfile = @{
Password = '<user password>'
}
New-MgUser -DisplayName '<Display name>' -PasswordProfile $PasswordProfile -AccountEnabled -MailNickName '<Mail nick name>' -UserPrincipalName '<UPN>'
$user = Get-MgUser -Filter "userPrincipalName eq '<user UPN>'"
$roleDefinition = Get-MgRoleManagementDirectoryRoleDefinition -Filter "displayName eq 'Global Administrator'"
$directoryScope = '/'
$roleAssignment = New-MgRoleManagementDirectoryRoleAssignment -DirectoryScopeId $directoryScope -PrincipalId $user.Id -RoleDefinitionId $roleDefinition.Id
Command Output:
Newly Created Global Admin Account
Test Case 3: Reset Authentication Methods for an Existing Admin Account to Prevent Sign-In Issues and Tenant Lockout
Use the Emergency Access App (Xavier-App) to reset authentication methods for an existing admin account, ensuring it can regain access and prevent a tenant lockout situation.
In this example, we are re-adding SMS authentication to the admin account, assuming they have lost access to their previous phone and are unable to use the Authenticator App or SMS for MFA verification. This scenario is uncommon but possible, especially in smaller organizations where only a single admin account is configured for the tenant. If that admin loses access to all MFA methods, it could lead to a complete lockout.
Assuming you have already connected to Microsoft Graph PowerShell using the command from Test Case 1, you can proceed with the next steps.
Use the command below to update the SMS authentication method for your Entra ID account.
$params = @{
phoneNumber = "<Phone Number with Country code>"
phoneType = "mobile"
}
$userId="<UPN>"
New-MgUserAuthenticationPhoneMethod -UserId $userId -BodyParameter $params
Test case 4:Reissue a Temporary access Pass for admin password recovery or new authentication registrations.
This method is useful in the following scenarios:
- The admin account password is not working, and new authentication methods need to be registered.
- If the Entra ID admin account is synced from Local AD (not recommended) and the Local AD password is either not working or has been reset by another admin (e.g., one leaving the organization).
- When using Password Hash Synchronization (PHS) and the on-premises password is no longer valid.
Use the Below Command to create a TemporaryAccessPass
Assuming you have already connected to Microsoft Graph PowerShell using the command from Test Case 1, you can proceed with the next steps.
$params = @{
startDateTime = [System.DateTime]::Parse("2025-02-15T12:00:00.000Z")
lifetimeInMinutes = 60
isUsableOnce = $false
}
$userId="<UPN>"
New-MgUserAuthenticationTemporaryAccessPassMethod -UserId $userId -BodyParameter $params
You need to specify the Temporary Access Pass (TAP) start date and time, along with its lifetime duration.
TAP Status on the User Account
Securing & Monitoring the Emergency Access App
Since this application will have highly critical permissions, securing its credentials is paramount.
Best Practices
Use Certificates Over Client Secrets: Certificates provide stronger security compared to Secrets, reducing the risk of leakage.
Secure Storage: Store the certificate securely, similar to how you retain your break glass accounts’ credentials.
Implement App Governance: Use Microsoft Defender for Cloud Apps to monitor app permissions and sign-ins.
Regularly Audit Entra Workload Identities: Review applications and their granted permissions periodically to prevent unauthorized persistence.
Preventing Attacker Persistence via Malicious App Registrations
Attackers often register applications in compromised tenants to maintain long-term access. They might grant themselves privileged Graph API permissions without being detected.
How to Mitigate This Risk:
Monitor App Registrations: Regularly check for new applications with high privileges.
Use Entra Workload Identities: Implement a Conditional Access (CA) policy to regulate Service Principals and Workload Identities access to your tenant based on network location and risk level.
For a step-by-step guide on configuring this policy, refer to my blog:
🔗 Configuring Workload Identities Conditional Access
Enable App Governance Alerts: Use security alerts to detect suspicious permission grants.
For more details on application authentication controls, refer to my blog: Managing Application Authentication Methods in Microsoft Entra ID.
Conclusion
Having an emergency access app can be a lifesaver in critical situations, but it must be properly secured and monitored to prevent abuse. Regularly review your workload identities, app permissions, and Conditional Access policies to ensure they align with your security and operational requirements.
Are you implementing emergency access strategies for your tenant? Let me know your thoughts in the comments below!
Disclaimer
The Emergency Access Application configuration method described here is not a Microsoft-recommended approach; it is based on my own testing and opinions.
Microsoft strongly recommends maintaining at least two Emergency Access Accounts following all security best practices.
If you choose to securely configure this application in your tenant while adhering to your organization's IT security policies, it may assist in disaster recovery situations.
However, if you are already following Microsoft's security recommendations, there is no need to create this Emergency Access Application.
0 Comments