Skip to Content

When Break-Glass Accounts Let MSPs Down the Most

January 21, 2026 by
Jaspreet Singh

closeup photo of computer keyboard

When Break-Glass Accounts Let MSPs Down the Most

Most MSPs claim to have break-glass accounts. But only a few can actually use them when a real incident happens. (Protecting Against Cyber Threats to Managed Service Providers and their Customers, 2022)I’ve been called in for lockouts, tenant-wide MFA failures, Conditional Access errors, and identity breaches where the client’s last hope was their break-glass account. And in too many cases, it failed. Not because of hackers.

Not because Microsoft was offline.

But because of how the MSP set it up.

A hard truth MSPs rarely admit

Most break-glass accounts are made to check boxes, not to handle real incidents. (Break Glass Account Management Best Practices, 2026)They look great in:

  • Security assessments
  • Microsoft Secure Score
  • Audit conversations

But when something goes wrong, documentation doesn’t help.

What matters is whether you can sign in right away.

How break-glass accounts really fail for MSPs

1. “All Users” Conditional Access takes them down

This is the most common failure I see. (Break the glass – Not your organization!, 2025)An MSP rolls out:

  • “All Users” MFA
  • Device compliance everywhere
  • Location restrictions
  • Session controls stacked on top

No exclusions. No exceptions. Then something breaks. Now the break-glass account is:

  • Blocked by MFA during an MFA issue
  • Blocked by device compliance when no compliant device exists
  • Blocked by location rules during off-hours response

Your security settings end up locking your emergency account.

2. Break-glass accounts that still depend on MFA (and yes, this still happens)

If your break-glass account:

  • Requires an authenticator app
  • Uses a phone number
  • Depends on a hardware token

That’s not a true break-glass account. During incidents:

  • Phones aren’t available
  • Tokens are in offices
  • The on-call engineer isn’t the enrolled user

Every extra dependency is another way things can go wrong.

3. Passwords that are stuck behind SSO

This one hurts. Password stored in:

  • A password manager
  • That uses SSO
  • That relies on Entra ID
  • Which is currently broken

Now you have an emergency account you can’t even access. I’ve watched MSPs spend hours trying to get back into their vault while the client stays locked out.

4. Dormant accounts that slowly stop working

Break-glass accounts aren’t used every day, so they slowly stop working:

  • Passwords expire
  • Accounts get flagged as risky
  • Licenses are removed
  • Someone disables it during “cleanup.”

Then when an incident happens, the account is just a name on a list.

5. No one is sure who can use it

During incidents, I hear:

  • “Are we allowed to use this?”
  • “Who has approval?”
  • “Which account is the real one?”

If you have to stop and discuss emergency access, you’re already behind.

Why this is an MSP problem, not just a client issue

When break-glass fails, the client doesn’t blame Microsoft. They hold you responsible.

They remember:

  • How long were they locked out
  • How confident you sounded
  • Whether you had control

Waiting on vendor support while you’re on the phone isn’t a real plan.

What really works for MSPs in practice

Successful MSPs treat break-glass accounts as part of their core operations, not just a policy. (How ISO 27001 Solves Privileged Access and Shared Account Risks for MSPs, 2023)

That means:

  • Set clear Conditional Access exclusions and avoid using 'All Users' shortcuts.
  • Don’t rely on SSO or device compliance at all.
  • Keep credentials controlled and accessible offline.
  • Test your break-glass accounts on a set schedule, not just 'when you get around to it.'
  • Make sure it’s clear who can use the account during an incident.
  • Always rotate credentials right after they’re used.

If you haven’t tested your break-glass account during a simulated outage, you can’t be sure it works.

Changing the MSP mindset

Break-glass accounts aren’t meant to be convenient.

They’re there to give you control when nothing else works. If your identity systems fail and you can’t sign in, nothing else you’ve set up will matter. 

A break-glass account should be:

  • Boring
  • Simple
  • Reliable
  • Slightly uncomfortable

That bit of discomfort is what makes it work when you really need it.


Final thoughts

The worst time to find out your break-glass account doesn’t work is when a client is on the phone and the clock is ticking. If you’re sure yours works, prove it.

If you’re not, fix it now.

In the MSP world, being able to access systems during chaos is what separates a trusted partner from a tough post-mortem.


Jaspreet Singh — Author at MSPinsights.ca | Founder & CEO, Accelerate IT Services Inc.

References

(May 10, 2022). Protecting Against Cyber Threats to Managed Service Providers and their Customers. CISA. https://www.cisa.gov/news-events/alerts/2022/05/11/protecting-against-cyber-threats-managed-service-providers-and-their-customers

(2026). Break Glass Account Management Best Practices. Britive. https://www.britive.com/resource/blog/break-glass-account-management-best-practices

(2025). Break the glass – Not your organization!. Agder in the cloud. https://agderinthe.cloud/2025/03/18/break-the-glass-not-your-organization/

(2023). How ISO 27001 Solves Privileged Access and Shared Account Risks for MSPs. ISMS.online. https://www.isms.online/managed-service-providers/fixing-privileged-access-and-shared-accounts-in-msps-using-iso-27001/

Jaspreet Singh January 21, 2026
Share this post
Tags
Archive
The Hidden Risks of “All Users” in Conditional Access (And Why MSPs Get Burned)