Break-glass admin accounts excluded from CA
Demonstrate that designated break-glass administrator accounts are systematically excluded from all Conditional Access policies while compensating monitoring and review controls detect unauthorized or undocumented usage.
Description
What this control does
Break-glass (emergency access) administrative accounts are intentionally excluded from Conditional Access (CA) policies to ensure recovery access when authentication systems fail or CA policies misconfigure and lock out all users. These accounts are typically cloud-only identities with randomly generated complex passwords stored in secured physical or vault locations, used only during critical incidents. Exclusion from CA prevents circular lockout scenarios but requires compensating detective controls including real-time alerting, session recording, and post-use review to mitigate abuse risk.
Control objective
What auditing this proves
Demonstrate that designated break-glass administrator accounts are systematically excluded from all Conditional Access policies while compensating monitoring and review controls detect unauthorized or undocumented usage.
Associated risks
Risks this control addresses
- Administrative lockout during CA policy misconfiguration preventing recovery access to critical identity infrastructure
- Authentication system outages (MFA provider failures, federation errors) rendering all standard admin access paths unavailable
- Unauthorized use of break-glass accounts for routine administration bypassing logging, approval, and MFA requirements
- Insider threat actors exploiting break-glass credentials to perform privileged actions without standard detection mechanisms
- Break-glass account compromise through inadequate physical storage security enabling persistent backdoor access
- Regulatory non-compliance due to administrative actions performed without multifactor authentication or session accountability
- Delayed incident response when break-glass credentials are unavailable, outdated, or undocumented during actual emergencies
Testing procedure
How an auditor verifies this control
- Obtain the organization's documented list of designated break-glass or emergency access administrator accounts including account names and intended purpose.
- Export all active Conditional Access policies from the identity provider (Azure AD, Okta, etc.) including policy names, conditions, controls, and user/group exclusions.
- Cross-reference each Conditional Access policy's exclusion lists against the documented break-glass account inventory to verify systematic exclusion across all policies.
- Review the credential storage mechanism for break-glass accounts confirming physical vault storage or equivalent secured access control with documented retrieval procedures.
- Query authentication logs for the past 12 months filtering for break-glass account sign-in events and identify all usage instances.
- For each identified break-glass account usage event, obtain corresponding incident tickets, change records, or approval documentation justifying the emergency access.
- Verify that real-time alerting mechanisms (SIEM rules, email notifications, SOC workflows) trigger immediately upon break-glass account authentication attempts.
- Test one break-glass account authentication in a non-production environment or review recent authorized test results confirming the account successfully bypasses all CA policies while generating expected alerts.
Where this control is tested