Break the Glass Securely
Let’s face it: Break-the-Glass accounts are either your tenant's safety net — or a dangerous liability waiting to be forgotten.
And while many admins know they should have one, far fewer know how to do it right. Across tenants. Securely. Consistently.
So here’s how I approach it — MSP-style:
We’re not just talking about a user account with global admin and a long password. No. We’re building a controlled failsafe.
🧱 The Structure
We split the BTG solution into 3 core components:
🛡️ Group:
🛡️🧑💼⛓️🔓Group - Break the Glass solution
A dynamic group that automatically includes your BTG account (e.g. gordon.freeman@).
🚩 Named Location:
🚩✅NLOC - Panic Room
The only IP or network from which your BTG user is even allowed to authenticate.
🚦 Conditional Access:
🚦🔴CA - Block External login for BTG
This policy blocks everything for the group — except if you're logging in from the Panic Room.
🧠 Why it works
✅ No need to exclude BTG users from every policy manually
✅ Controlled entry point via IP — like a physical access gate
✅ Fully supported by tools like SuperVision for easy replication across tenants
👀 Common mistakes
- Making the BTG account visible to all admins 😬
- Using a shared IP or home broadband for the Named Location
- Not logging BTG sign-ins separately
- Forgetting to test the whole setup regularly
"If your break-glass login works from Starbucks, you're doing it wrong."
🪟 Bonus: Nerd Factor
Naming the account gordon.freeman@ might not increase security...
But it does make the documentation more fun to read.
And if you've gone full Half-Life with your config, don’t forget:
- Mark your vault entry:
Crowbar Credentials – Do Not Touch - Print the plan and laminate it. For that end of the world vibe.
✅ Wrap-up
Break-the-Glass accounts shouldn't just exist — they should exist intentionally.
With clear boundaries. With logging. And with one very narrow way in.
One user.
One IP.
One job.
🧯 Use it responsibly.