In Microsoft Entra ID (formerly Azure AD), break glass accounts serve as your emergency access path when normal administrative channels are unavailable. These critical accounts need special handling - particularly when it comes to Conditional Access Policies (CAPs). While CAPs are essential for securing your environment, they can inadvertently lock out your emergency access accounts during a crisis if not properly configured.

The challenge many organizations face is maintaining visibility into whether break glass accounts remain properly excluded from restrictive policies as CAPs evolve over time. A single policy update could inadvertently subject a break glass account to MFA requirements, IP restrictions, or other controls that might render it unusable during an emergency.

Several months ago, I created a PowerShell script to verify break glass account exclusions and wrote about it in a LinkedIn article. While that script worked, the implementation was clunky and not as user-friendly as I wanted. I initially considered creating an entire module dedicated to break glass account management, but after careful consideration, it made more sense to integrate this functionality directly into ConditionalAccessIQ. This integration provides a more robust, streamlined solution that fits naturally alongside policy change tracking.

The latest addition to ConditionalAccessIQ - Invoke-CAIQBreakGlassAssessment - directly addresses this critical security concern. This new functionality provides a simple way to verify that your emergency access accounts remain properly excluded from all Conditional Access policies.

Why Break Glass Account Exclusions Matter

Break glass accounts exist for extraordinary circumstances - typically when normal authentication methods are unavailable or compromised. Consider these scenarios:

• Your MFA provider experiences an outage, preventing administrators from authenticating

• Your organization faces a disaster scenario where normal access channels are disrupted

In these situations, break glass accounts become your failsafe. But if these accounts are subject to the same Conditional Access restrictions as regular accounts, they can become unusable at the very moment they're needed most.

Microsoft's security guidance recommends excluding at least two break glass accounts from all Conditional Access policies. However, maintaining this exclusion state across dozens of policies - especially as policies evolve over time - can be challenging without the right tools.

How Invoke-CAIQBreakGlassAssessment Works

The Invoke-CAIQBreakGlassAssessment function performs a comprehensive analysis of your break glass accounts against all Conditional Access policies. Here's what it does:

1. Accepts one or more break glass account identifiers (UPN or Object ID)

2. Retrieves all Conditional Access policies from your Entra ID environment

3. For each policy, checks whether each break glass account is properly excluded

4. Generates an interactive HTML dashboard showing exclusion status across all policies

5. Provides direct links to the Entra portal for any policies needing remediation

The resulting dashboard gives you an immediate visual indicator of your break glass account security posture. You can quickly identify:

• Which break glass accounts are properly excluded from all policies

• Which specific policies are missing exclusions for each account

• Whether those policies are currently enabled or disabled

  

Implementing Break Glass Policy Verification

Getting started with the break glass assessment function is straightforward. First, install the ConditionalAccessIQ module from the PowerShell Gallery:

# Install the ConditionalAccessIQ module
Install-Module -Name ConditionalAccessIQ -Scope CurrentUser

# Import the module
Import-Module ConditionalAccessIQ

After installing, you'll need to authenticate to Microsoft Graph with the appropriate permissions:

Connect-MgGraph -Scopes @(
    "Policy.Read.All",
    "AuditLog.Read.All",
    "Directory.Read.All", 
    "Application.Read.All",
    "GroupMember.Read.All"
)

Now you can run a basic assessment with a single command:

Invoke-CAIQBreakGlassAssessment -UserId "breakglass@contoso.com"

This will check a single break glass account against all policies and generate an HTML report. For more comprehensive coverage, you can check multiple accounts simultaneously:

Invoke-CAIQBreakGlassAssessment -UserId "breakglass@contoso.com","emergency@contoso.com"

The function opens the HTML report by default, but for automation scenarios, you can suppress this behavior:

Invoke-CAIQBreakGlassAssessment -UserId "breakglass@contoso.com" -InvokeHtml:$false

You can also customize the output location and filename:

Invoke-CAIQBreakGlassAssessment -UserId "breakglass@contoso.com" -OutputPath "C:\Reports" -FileName "BreakGlass_Security.html"

Real-World Security Benefits

Implementing regular break glass assessment brings several concrete security benefits:

Preventing Lockout Scenarios: By verifying exclusions before an emergency occurs, you ensure break glass accounts will work when needed most. This prevents the nightmare scenario of being locked out of your own environment during a crisis.

Maintaining Compliance: Many security frameworks and auditors specifically ask about emergency access procedures. With Invoke-CAIQBreakGlassAssessment, you can produce evidence that your organization is following best practices by regularly verifying break glass account configurations.

Detecting Accidental Configuration Drift: As policies change over time, it's easy for break glass exclusions to be overlooked. Automated verification catches these oversights before they become incidents. For example, if a new policy is created without proper exclusions, or if an existing policy's exclusions are inadvertently modified, the assessment will flag it immediately.

Delegating Administration Safely: In larger organizations where Conditional Access management may be delegated, this tool ensures that even as different administrators modify policies, the critical break glass exclusions remain intact. It serves as a safety net for your most important emergency accounts.

Automation Recommendations

Like other ConditionalAccessIQ functions, Invoke-CAIQBreakGlassAssessment is most effective when automated. Here's a recommended approach:

1. Schedule Regular Verification: Run the assessment daily or weekly to ensure continuous protection.

2. Include in Change Management: Run the assessment after major Conditional Access policy changes as part of your change validation process.

Here's a sample automation script that covers both policy change tracking and break glass verification:

# Import module
Import-Module ConditionalAccessIQ

# Connect using certificate auth (recommended for automation)
Connect-MgGraph -ClientId $client_id -CertificateThumbprint "cert-thumbprint" -TenantId $tenant_id

# Run break glass assessment
$bg_accounts = @("breakglass@contoso.com", "emergency@contoso.com")
Invoke-CAIQBreakGlassAssessment -UserId $bg_accounts -InvokeHtml:$false

# The break glass report path
$bg_report_path = "$($PWD)\ConditionalAccessIQ\BreakGlass_CA_Policy_Exclusion_Assessment.html"

# If the report exists (indicating exclusion issues), send an alert
If ((Test-Path $bg_report_path -PathType Leaf)) {
    $bg_html = Get-Content -Path $bg_report_path -Raw
    
    # Email the break glass assessment report
    Send-CAIQMailMessage -To "security@contoso.com" -From "caiq@contoso.com" -Subject "Break Glass CA Policy Assessment" -Body $bg_html -Attachments $bg_report_path
}

Technical Requirements

To use the Invoke-CAIQBreakGlassAssessment, you'll need:

• PowerShell 5.1 or PowerShell 7.x

• The Microsoft.Graph.Authentication module (automatically installed with ConditionalAccessIQ)

• Appropriate Microsoft Graph permissions:

  • Policy.Read.All (to read Conditional Access policies)

  • AuditLog.Read.All (for audit log integration)

  • Directory.Read.All (to access user information)

  • Application.Read.All (to access application information)

  • GroupMember.Read.All (to check group memberships for exclusions)

  • Mail.Send (only if using email functionality)

For interactive use, connect with an account that has at least Global Reader privileges. For automation, an app registration or managed identity with appropriate application permissions is recommended.

Conclusion

Break glass accounts represent your last line of defense during an identity crisis. The Invoke-CAIQBreakGlassAssessment function ensures these critical accounts will function when you need them most by systematically verifying their exclusion from restrictive policies.

By incorporating regular break glass account verification into your security operations, you close a potentially dangerous gap in your emergency access strategy. This simple proactive step could make all the difference during a crisis situation when minutes count and normal access channels are unavailable.

Like the policy change tracking capabilities in ConditionalAccessIQ, the break glass assessment functionality provides a straightforward solution to a complex security challenge. It turns Microsoft's recommended best practice of excluding emergency accounts from policies into a verifiable, documentable security control that you can demonstrate to stakeholders.

As Conditional Access continues to serve as a cornerstone of modern Zero Trust security architecture, tools like Invoke-CAIQBreakGlassAssessment help ensure that your security controls themselves don't become obstacles during emergencies.