Emergency Access — Engineering Experiments
Emergency Access accounts are used for tenant recovery, but they can also become the most dangerous identities in the environment.
This page describes hands-on emergency access experiments done in isolated lab tenants to observe recovery behavior, MFA exclusions, monitoring gaps, and possible abuse.
Everything here is based on what was observed, not on how the system was designed to work.
What This Page Covers
This page serves as a central index of experiments for emergency access testing on F11.ca.
Here’s what you’ll find:
- A live index of emergency access experiments
- Tested recovery and lockout scenarios
- Clear outcomes and their impact on security
- Links to detailed records for each experiment
Please note, this is not a guide for break-glass configuration.
Emergency Access Experiment Index
Each experiment ID links to a detailed record including configuration, logs, and observed behavior.
| ID | Category | Description | Result | Risk |
|---|---|---|---|---|
| EA-EXP-001 | Baseline | Emergency access account excluded from all policies | Recovery successful | 🟢 Low |
| EA-EXP-002 | MFA Exclusion | MFA disabled permanently on emergency account | Abuse path created | 🔴 High |
| EA-EXP-003 | Monitoring | Emergency access sign-in not alerted | Undetected access | 🔴 High |
| EA-EXP-004 | Session | Session persists after emergency access use | Continued access | 🟠 Medium |
| EA-EXP-005 | Conditional Access | Emergency account excluded incorrectly | Policy bypass | 🔴 High |
| EA-EXP-006 | Lifecycle | Emergency access credentials not rotated | Long-lived exposure | 🟠 Medium |
Enhance Your Experience
We group these experiments to highlight recovery and abuse patterns:
- Baseline: Validating recovery behavior
- MFA Exclusion: Testing authentication and enforcement bypass
- Monitoring: Identifying detection and alerting gaps
- Session: Examining token and session persistence
- Conditional Access: Reviewing policy scope and exclusion behavior
- Lifecycle: Checking credential rotation and hygiene
Experiment Methodology
Every Emergency Access experiment on F11.ca uses the same step-by-step approach:
- Start by describing the recovery or lockout situation
- Set up the emergency access account as needed
- Simulate what happens if access is lost or an admin is unavailable
- Test signing in with emergency access
- Check the logs, alerts, and how enforcement works
- Write down the security impact and main lessons learned
This process makes sure the experiments can be repeated and stand up to review.
Patterns Observed Across Emergency Access Experiments
In several emergency access experiments, we noticed these patterns come up again and again:
- Emergency accounts are not often monitored
- MFA exclusions can leave permanent paths for attackers
- Session persistence is often overlooked
- Exclusions tend to be too broad or not documented
- Credential rotation is often missed
You can find more details about these patterns in the records for each experiment.
Scope & Notes
All experiments take place in separate lab tenants.
Results depend on the tenant’s setup and licensing.
This page describes what was observed, not what is recommended.
We refer to official documentation when it is relevant.