Emergency access accounts help organizations restrict privileged access in an existing cloud environment. These accounts are highly privileged and are not assigned to specific individuals. Emergency access accounts are limited to scenarios where normal administrative accounts can’t be used. Organizations must limit the emergency account’s usage to only the necessary amount of time. it is important that you prevent being inadvertently locked out of your cloud tenant because you can’t sign in or activate an existing individual user’s account as an administrator. You can mitigate the impact of inadvertent lack of administrative access by creating two or more emergency access accounts in your tenant.

Emergency access accounts are limited to emergency or ‘break glass’ scenarios where normal administrative accounts cannot be used. Organizations must maintain a goal of restricting the emergency account’s usage to only the times when it is absolutely necessary.

Evaluate the accounts that are assigned or eligible for the global admin role. If you don’t see any cloud-only accounts by using the *.onmicrosoft.com domain (intended for emergency access), create them. Consider excluding one account from the MFA and the other from Conditional Access.