Ensure all critical admin roles have a separate account for administrative tasks in order to avoid phishing and other attacks to compromise administrative privileges. Create a separate admin account that’s assigned the privileges needed to perform the administrative tasks. Block the use of these administrative accounts for daily productivity tools like Microsoft Office 365 email or arbitrary web browsing.

Emergency access accounts help organizations restrict privileged access in an existing cloud environment. These accounts are highly privileged and are not assigned to specific individuals. Emergency access accounts are limited to scenarios where normal administrative accounts can’t be used. Organizations must limit the emergency account’s usage to only the necessary amount of time. it is important that you prevent being inadvertently locked out of your cloud tenant because you can’t sign in or activate an existing individual user’s account as an administrator. You can mitigate the impact of inadvertent lack of administrative access by creating two or more emergency access accounts in your tenant.

Emergency access accounts are limited to emergency or ‘break glass’ scenarios where normal administrative accounts cannot be used. Organizations must maintain a goal of restricting the emergency account’s usage to only the times when it is absolutely necessary.

Evaluate the accounts that are assigned or eligible for the global admin role. If you don’t see any cloud-only accounts by using the *.onmicrosoft.com domain (intended for emergency access), create them. Consider excluding one account from the MFA and the other from Conditional Access.

Turn on Azure AD Privileged Identity Management (PIM). After you turn on Privileged Identity Management, you’ll receive notification email messages for privileged access role changes. These notifications provide early warning when additional users are added to highly privileged roles in your directory.