Skip to content

Adding documentation support says should be in this article? #1708

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Adding documentation support says should be in this article? #1708

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0221316
Update security-emergency-access.md
jonwbstr Aug 8, 2025
6aca61c
Update security-emergency-access.md
jonwbstr Aug 8, 2025
652e753
Update security-emergency-access.md
jonwbstr Aug 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions docs/identity/role-based-access-control/security-emergency-access.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ An organization might need to use an emergency access account in the following s
- The person with the most recent Global Administrator access has left the organization. Microsoft Entra ID prevents the last Global Administrator account from being deleted, but it doesn't prevent the account from being deleted or disabled on-premises. Either situation might make the organization unable to recover the account.
- Unforeseen circumstances such as a natural disaster emergency, during which a mobile phone or other networks might be unavailable.
- If role assignments for Global Administrator and Privileged Role Administrator roles are eligible, approval is required for activation, but no approvers are selected (or all approvers are removed from the directory). Active Global Administrators and Privileged Role Administrators are default approvers. But there will be no active Global Administrators and Privileged Role Administrators and administration of the tenant will effectively be locked, unless emergency access accounts are used.
- Global Administrators are using separate unlicensed admin accounts which do not receive Admin Email Notifications.
- Global Administrators are using Privilaged Identity Management (PIM) for **just-in-time** access to admininistrative roles such as Global Administrator and also need to receive Admin Email Notifications.

## Create emergency access accounts

Expand Down Expand Up @@ -57,6 +59,15 @@ Create two or more emergency access accounts. These accounts should be cloud-onl

1. [Validate accounts regularly](#validate-accounts-regularly).

## Forward Admin Email Notifications
This workaround is only intended for customers using [PIM](/entra/id-governance/privileged-identity-management/pim-configure) and/or [separate administrator accounts](/microsoft-365/business-premium/m365bp-protect-admin-accounts#protect-admin-accounts)

1. Make the break-glass account a shared mailbox

1. Create a Distribution List and add the licensed user accounts of any administrators using PIM and/or separate administraor accounts.

1. Forward mail from the breakglass account to the distribution group created in the step above

## Configuration requirements

When you configure these accounts, the following requirements must be met:
Expand Down