This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 35%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN7%3C/text%3E%3C/svg%3E)
I am implementing Entra PIM. I want few points on best practices that are highly recommended to follow, for example, Break Glass, Emergency Accounts, etc..
Can anyone help me to prepare a list?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Hi, more info on BreakGlass:
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access
Its important to exclude these from MFA/Conditional Access and monitor logons to them. Have at least 2 Break glass accounts.
Otherwise, PIM and least priv best practices:
Lots to read, but worth it:
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Refer to
and
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access
We recommend you keep zero permanently active assignments for roles other than the recommended two break-glass emergency access accounts, which should have the permanent Global Administrator role.
hth
Marcin