Terms of Use & Break-Glass Accounts
Understanding the Concept
Terms of Use (ToU) in Microsoft Entra ID allow organizations to present legal disclaimers or acceptable use policies that users must accept before accessing resources. ToU can be integrated into Conditional Access policies so users must accept terms when specific conditions are met.
Break-glass (emergency access) accounts are highly privileged accounts excluded from Conditional Access policies and MFA requirements. They serve as a last resort when normal administrative access is unavailable - for example, during an MFA service outage or when all Global Admins are locked out.
Break-glass accounts should use strong passwords stored securely, not be tied to any individual, be excluded from all CA policies, and be monitored via alerts for any sign-in activity. Microsoft recommends at least two break-glass accounts per tenant.
Key Points
- ToU: PDF documents users must accept before access
- ToU + CA: Require acceptance for specific apps, groups, or conditions
- ToU versioning: Re-require acceptance when terms are updated
- Break-glass: Emergency accounts excluded from CA and MFA
- Monitoring: Alert on ANY break-glass account sign-in
Why This Matters in Real Organizations
Terms of Use provide legal protection and compliance documentation. Break-glass accounts prevent catastrophic lockout scenarios. Without properly configured emergency access, an MFA outage or misconfigured CA policy could lock all administrators out of the tenant permanently.
Common Mistakes to Avoid
Interview Tips
- Explain the break-glass account best practices
- Discuss ToU integration with Conditional Access
- Mention monitoring requirements for emergency accounts
Exam Tips (SC-300)
- Know break-glass account requirements and best practices
- Understand ToU integration with Conditional Access policies
- Know that break-glass accounts must be excluded from ALL CA policies
Course Complete!
You've finished all lessons