How To Get There From Here: Break Glass Account With Phishing-resistant MFA in Entra ID

by
post views: 3,151

Introduction

In the first episode of How To Get There From Here 🎙️, we talked with Michael Mardahl about passkeys in Microsoft Entra ID – what they are, how they work, and how to get started with phishing-resistant and passwordless authentication.

As Conditional Access policies become more complex and phishing-resistant authentication becomes a requirement, break glass accounts need to be configured correctly. An improperly configured emergency access account won’t help during an actual lockout scenario.

This post documents how to set up a break glass account with passkey (FIDO2) authentication from scratch. Microsoft recommends phishing-resistant MFA for emergency access accounts, and we’ll walk through the complete implementation in our own tenant.

Each step is covered, including TAP configuration, passkey registration, SSPR handling, and Conditional Access exclusions. The process follows Microsoft’s official guidance while showing the practical details you’ll encounter when building this yourself.

This walkthrough is a collaboration between Martin Bengtsson and Christian Frohn, documenting the implementation in our tenant.

So when your Conditional Access policies say “you can’t get there from here,” we’ll show you How To Get There From Here.  🔒

Creating the Break Glass Account(s)

It’s recommended that you create two or more emergency access accounts:

  • Cloud-only accounts using *.onmicrosoft.com domain
  • NOT federated or synchronized from on-premises
  • No dependency on external identity providers

Below we’re creating the user ‘redningskrans’ (danish for lifebuoy) on the imabdk.onmicrosoft.com domain and assigning the Global Administrator role

Authentication Methods

Now that the break glass accounts exist, we need to enable the authentication methods they’ll use. The accounts need passkeys (FIDO2) for phishing-resistant authentication and Temporary Access Pass (TAP) to perform the initial passkey registration.

Enable Passkeys (FIDO2)

  • Sign in to the Microsoft Entra admin center as a Global Administrator
  • Navigate to Entra ID → Authentication methods → Policies
  • Select Passkey (FIDO2)
  • Set Enable to Yes
  • Under Target, choose your approach:
    • All users – Simplest option, enables passkeys tenant-wide
    • Add groups – More granular, add your break glass accounts to a specific group

For this setup, we’re using All users since passkeys should be available organization-wide anyway.

Enable Temporary Access Pass (TAP)

TAP provides a time-limited passcode to sign in and register the passkey – since the break glass accounts don’t have any authentication methods yet.

  • In Entra ID → Authentication methods → Policies
  • Select Temporary Access Pass
  • Set Enable to Yes
  • Configure TAP settings:
    • Minimum lifetime: 1 hour
    • Maximum lifetime: 8 hours
    • Default lifetime: 1 hour (adjust based on your needs)
    • One-time use: Leave unchecked for flexibility
  • Under Target, choose who can issue and use TAPs:
    • All users – Any user can receive a TAP
    • Add groups – Only specific users can receive TAPs

We’re enabling for All users since TAPs are useful beyond just break glass scenarios.

Exclude from Conditional Access Policies

Before signing in to the break glass account for the first time, we need to exclude it from Conditional Access policies. If you have existing CA policies that require device compliance, specific locations, or other conditions, the break glass account could be blocked during initial setup.

Important: Break glass accounts should be excluded from ALL Conditional Access policies. This prevents lockout from policy misconfiguration – the most common cause of admin lockouts. The passkey provides phishing-resistant authentication independent of any CA requirements.

We have a dedicated exclusion group for all our Conditional Access policies. See below screenshot.

Assign a TAP to the Account

With the authentication methods enabled and the account excluded from CA policies, we can now assign a Temporary Access Pass. The TAP provides a time-limited passcode that allows the break glass account to sign in for the first time and register the passkey.

Generate the TAP

  1. Navigate to Entra ID → Users
  2. Search for and select your break glass account
  3. In the left menu, select Authentication methods
  4. Click + Add authentication method
  5. From the dropdown, select Temporary Access Pass
  6. Configure the TAP:
    • Lifetime: Set based on your needs (we’re using 1 hour)
    • One-time use: Yes
  7. Click Add

The TAP will be displayed on screen. Copy this value immediately – you won’t be able to see it again.

Important Notes

  • The TAP is valid for the lifetime you specified (1 hour in this example)
  • Once used to register the passkey, you can delete the TAP
  • The TAP works even though the account has no password set
  • Store the TAP securely until you complete passkey registration

Sign in Using TAP

Now that we have the TAP, we’ll use it to sign in to the break glass account for the first time. This initial sign-in allows us to access the security info registration page where we can register the passkey.

Initial Sign-In

  1. Open a browser (preferably in private/incognito mode to avoid conflicts with existing sessions)
  2. Navigate to https://aka.ms/mysecurityinfo
  3. Enter the break glass account username (e.g., breakglass@yourdomain.onmicrosoft.com)
  4. When prompted for authentication, enter the TAP you copied earlier
  5. Click Sign in

What Happens Next

After signing in with the TAP, you’ll be directed to the security info page. This is where you’ll register the passkey in the next step.

Note: You may see prompts to register additional authentication methods (like SSPR). We’ll address this after passkey registration.

With successful sign-in, you’re ready to register the passkey on your FIDO2 security key.

Register the Passkey (FIDO2) for the Account

Now that you’re signed in with the TAP, it’s time to register the passkey. This is the critical step that sets up phishing-resistant authentication for the break glass account.

Add the Passkey

You should already be on the https://aka.ms/mysecurityinfo page from the previous step.

  • Click + Add sign-in method
  • From the dropdown, select Security key
  • A dialog will appear asking you to set up your passkey
  • Insert your FIDO2 security key if it’s not already connected
  • Follow the browser prompts to activate your security key:
    • You may need to touch the security key
    • You may need to enter a PIN (if your key requires one)
  • Once the key is activated, the passkey will be registered
  • Give the passkey a recognizable name

Test Passkey Authentication Works

With the passkey registered, it’s time to test a complete sign-in flow to verify everything works as expected. This ensures the passkey is properly configured and the account can be used in an emergency.

Perform a Test Sign-In

  • Open a new browser window (private/incognito recommended)
  • Navigate to https://portal.azure.com
  • Enter the break glass account username
  • When prompted for authentication:
    • Insert your FIDO2 security key
    • Enter its PIN and touch the key when prompted

Troubleshooting

If sign-in fails:

  • Check the passkey is registered at https://aka.ms/mysecurityinfo
  • Ensure the account remains excluded from CA policies
  • Review Entra ID → Sign-in logs for error details:
    • Look for the failed sign-in attempt by username
    • Check the Status and Failure reason columns
    • Review Conditional Access tab to see if any policy blocked the sign-in

Once testing is successful, the passkey is ready for production use.

Handling the SSPR Registration Prompt

When you sign in with the passkey, you may be prompted to register for self-service password reset (SSPR). This happens because all administrator accounts are enabled for SSPR by default, and it requires two authentication methods.

What You’ll See

A screen asking you to set up additional authentication methods like:

  • Email
  • Phone number
  • Microsoft Authenticator app

Your Options

Option 1: Skip it (temporarily)

  • Click “Skip setup” at the bottom of the prompt
  • You’ll be prompted again on future sign-ins

Option 2: Complete it with organizational methods

  • Use a shared organizational email
  • Use an organizational phone accessible to multiple admins
  • Use an authenticator app on a shared device (not personal phone)
  • Store these credentials with the FIDO2 key in the same secure location

Microsoft’s guidance says to avoid personal devices, so if you complete SSPR registration, use shared/organizational methods only.

Conclusion

Your break glass account is now configured with phishing-resistant authentication and ready to use. When Conditional Access policies or other issues lock you out, you’ll have a reliable way to regain access to your tenant.

Remember to test the account every 90 days and keep the documentation current. A properly maintained break glass account is your insurance policy against “you can’t get there from here” scenarios.

Now you know How To Get There From Here. 🔓

Co-authored by:
Martin Bengtsson | imab.dk
Christian Frohn | christianfrohn.dk

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.