Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Emergency Access Account Used [RULE-1129]

This rule detects when someone signs in using an emergency access (break-glass) account. Emergency access accounts are highly privileged accounts intended exclusively for scenarios where normal administrative accounts cannot be used, such as during a major outage or when all other administrators are locked out.

Rationale

Emergency access accounts are designed as a last resort. They typically have Global Administrator privileges, are excluded from conditional access policies and MFA requirements, and often use long, complex passwords stored in a secure physical location. Because of their elevated privileges and reduced security controls, any use of these accounts warrants immediate investigation.

In a legitimate scenario, an emergency access account would only be used during a genuine emergency, such as a tenant lockout caused by a misconfigured conditional access policy, a failed MFA provider, or the loss of all other administrator accounts. The use should always be pre-planned, documented, and performed by an authorized IT administrator.

However, if an attacker has obtained the credentials for an emergency access account -- through a compromised password vault, physical theft, or social engineering -- they gain unrestricted access to the entire tenant without MFA protection. This represents the highest possible impact scenario, aligning with MITRE ATT&CK T1078.004 (Valid Accounts: Cloud Accounts), where adversaries use valid cloud credentials to maintain persistent access. Because emergency access accounts bypass most security controls, compromise of these credentials can be extremely difficult to detect through other means.

Follow-up

Follow these steps to adequately address this detection:

  1. Contact the IT team immediately to verify whether someone used the emergency access account intentionally. Check whether there was a documented emergency or outage that required the use of this account.

    • If no: The use of the emergency access account was not authorized:

      1. Immediately change the password of the emergency access account and store the new credentials securely.
      2. Review all actions performed by the emergency access account in the Unified Audit Log at security.microsoft.com. Look for role assignments, application consent grants, conditional access policy changes, or any other administrative modifications.
      3. Revert any unauthorized changes made during the session. Pay special attention to new role assignments, newly registered applications, and modified security policies.
      4. Investigate how the credentials were obtained. Review access to the physical or digital storage location of the emergency account credentials. Contact Attic for incident response support if there is evidence of broader compromise.

    • If yes: The emergency access account was used intentionally during a genuine emergency:

      1. Verify that the actions performed during the session were limited to resolving the emergency. Review the audit log to confirm no excessive or unnecessary changes were made.
      2. Rotate the password of the emergency access account as a standard post-use procedure and store the new credentials securely. Close the incident.

More information