Quick Tech Tip: Set Up Emergency Admin Access Before A Lockout Stops The Business

Most account lockouts are annoying. An administrator lockout can stop the whole business. If the only person who can manage Microsoft 365, Google Workspace, email, billing, DNS, security settings, or employee accounts gets locked out, leaves, loses a phone, or breaks MFA, the recovery process can become slow and expensive.

Today’s practical tech tip: set up a controlled emergency admin access plan before you need it. This is sometimes called a “break-glass” account. The goal is not to create an everyday shared login. The goal is to have a documented, protected, monitored way back into critical systems when normal admin access fails.

Why This Matters

Small businesses often grow into cloud admin risk without noticing it. One owner creates the Microsoft 365 tenant. A bookkeeper sets up Google Workspace. A former web company registers the domain. One employee’s phone becomes the only MFA method for a billing portal. Everything works until that one person is unavailable.

Microsoft’s own emergency access guidance says organizations should reduce the chance of being locked out by creating two or more emergency access accounts for Microsoft Entra ID, using strong authentication, storing credentials securely, monitoring use, and validating the accounts regularly. Google Workspace also documents administrator recovery paths, including recovery email/phone options, DNS-based domain verification, and support-assisted recovery when automated recovery fails.

The lesson for a local business is simple: do the planning while everyone can still sign in. Waiting until payroll, email, or customer records are already locked behind an unavailable admin account is the hard way.

Step 1: List Your Critical Admin Consoles

Start by writing down the systems where losing administrator access would hurt the business. Keep this list in a secure internal location, not in a random shared note.

• Email and identity: Microsoft 365, Microsoft Entra, Google Workspace, Google Cloud Identity, or hosted email control panels.
• Domain and DNS: domain registrar, DNS host, website host, CDN, and SSL certificate provider.
• Money and operations: billing portals, accounting software, payroll, payment processors, point-of-sale systems, and vendor accounts.
• Security tools: password manager admin console, endpoint protection, backups, firewalls, VPN, remote access, and camera/security systems.
• Website and marketing: WordPress, ecommerce admin, ad accounts, analytics, social media, newsletter platforms, and review profiles.

For each one, record who has admin access, what MFA method is used, where recovery codes are stored, and who can approve emergency use. Do not store passwords in the inventory itself. The inventory tells you what exists and who owns it; the actual secrets belong in a password manager, safe, or other approved secure storage.

Step 2: Create A Dedicated Emergency Access Method

For Microsoft 365 and Microsoft Entra environments, follow Microsoft’s current emergency access account guidance as closely as your licensing and setup allow. Microsoft recommends two or more emergency access accounts, cloud-only accounts for Entra, strong authentication such as FIDO2/passkeys or certificate-based authentication, safe credential storage, sign-in monitoring, and regular validation.

For Google Workspace, make sure the business has more than one trusted super administrator where appropriate, current recovery information, and a known process for administrator account recovery. Google’s recovery documentation is a reminder that recovery can require domain verification, support contact, DNS access, and proof of ownership. If the only admin is unavailable and nobody controls the domain records, recovery gets much harder.

For smaller systems that do not support formal emergency accounts, create a practical equivalent: at least two named administrators, documented recovery steps, MFA backup codes stored securely, and an owner-approved process for when the account may be used.

Step 3: Protect It Better Than A Normal Login

An emergency admin account is powerful. If you create one carelessly, you make the business less secure instead of more resilient.

1. Do not use it for daily work. Normal admin tasks should be done from named admin accounts so actions are accountable.
2. Use strong MFA. A hardware security key or phishing-resistant method is better than relying only on SMS. CISA continues to recommend turning on MFA because it makes account compromise harder.
3. Keep recovery materials offline or in approved secure storage. Examples include a business password manager with emergency access, a sealed envelope in a locked safe, or two separate trusted custodians.
4. Limit who knows it exists. The owner, IT provider, and designated leadership may need the process. Everyone does not.
5. Monitor every use. Configure alerts where possible so an emergency account sign-in triggers a notification to the owner or IT contact.
6. Review it on a schedule. A quarterly check is reasonable for most small businesses. Microsoft specifically calls out regular validation for emergency access accounts.

Step 4: Test Without Causing A Mess

Do not wait for an emergency to discover that the account is disabled, the key is missing, the safe combination changed, or the recovery email belongs to a former employee.

• Sign in during a planned maintenance window and confirm the account can reach the required admin console.
• Verify MFA still works and that the device, security key, or backup code is where the document says it is.
• Confirm alerts fire when the emergency account signs in.
• Check the authorized-user list after staff changes, ownership changes, vendor changes, or office moves.
• Document the test result with date, who tested, what was verified, and whether anything was changed.

The test should be boring. If the test turns into a scramble, that is useful information. Fix the problem before the account is needed for a real outage.

What Can Go Wrong

• The emergency account becomes a shared everyday admin login. That ruins accountability and makes audits harder.
• The password is stored where too many people can see it. Emergency access should be available to the right people, not exposed to the whole staff.
• The account is blocked by the same policy that caused the emergency. Microsoft warns that Conditional Access or other controls can make an emergency account unusable if they are not planned carefully.
• MFA depends on one person’s phone. If the phone is lost, broken, overseas, or tied to a former employee, the recovery plan fails.
• The domain registrar is forgotten. Google Workspace recovery and many SaaS recovery flows may require DNS/domain proof. Losing registrar access can block recovery for multiple systems at once.
• Nobody monitors it. A break-glass account should be noisy when used. Silent emergency admin access is a security risk.

When To Call An IT Professional

Call for help before making changes if your business uses Microsoft 365 Conditional Access, Google Workspace super admin roles, domain federation, single sign-on, HIPAA/financial/legal compliance requirements, shared mailboxes, managed devices, remote workers, or multiple locations. These environments can absolutely have emergency access, but the details matter.

You should also get help if you do not know who controls your domain, if a former employee or vendor is still the only administrator, if MFA is tied to one phone, or if you have never tested account recovery. That is not a paperwork problem. It is business continuity.

A Simple One-Hour Action Plan

1. Pick your top five critical admin systems.
2. Confirm at least two trusted people or a trusted IT provider can recover access.
3. Update recovery email, phone, MFA, and backup codes.
4. Secure the emergency credentials in an approved location.
5. Turn on alerts for emergency/admin sign-ins where the platform supports it.
6. Schedule the next quarterly test.

The win is not just avoiding lockout. The win is knowing exactly what to do when an owner is traveling, a phone dies, an employee leaves, or an admin account stops working right before something important.

Related Reading

• Save MFA Backup Codes Before You Need Them
• Do A Password Health Check Before A Weak Login Becomes A Business Problem
• Review Connected Apps Before Old Access Turns Into A Security Problem
• Contact The IT Guys

Sources

• Microsoft Learn: Manage emergency access accounts in Microsoft Entra ID
• Google Workspace Help: Recovering administrator access to your account
• Google Workspace Help: Security best practices for administrator accounts
• CISA Secure Our World: Turn On MFA