Offline breakglass is an emergency mechanism that lets MFA-enabled Entra ID users log in using a cached password when the device cannot reach Azure Entra ID. It is intended for situations like network outages or maintenance windows where normal online authentication is temporarily impossible.
Offline breakglass reduces security. When active, MFA-enabled users authenticate with a password alone — the same protection level as single-factor authentication. If a device is stolen or network access to Entra ID is blocked by an attacker, breakglass could be exploited to bypass MFA entirely. Enable this feature only after carefully weighing your organization’s offline access requirements against its security posture.
Who this affects
| User type | Offline behavior without breakglass | Offline behavior with breakglass enabled |
|---|
| SFA-only users | Can log in with cached password | No change — already allowed |
| Hello PIN users | Can log in with Hello PIN | No change — already allowed |
| MFA-enabled users | Cannot log in | Can log in with cached password while breakglass is active |
| Passwordless users | Cannot log in offline | Not supported — no password to cache |
How it works
When enabled = true is set in the [offline_breakglass] section, Himmelblau caches a secure, salted password verifier for each MFA-enabled user who successfully authenticates online. This verifier is stored locally and used during breakglass periods to verify the user’s password without contacting Entra ID.
Breakglass mode is activated manually using aad-tool. Once the TTL expires, normal online authentication resumes automatically. If Entra ID connectivity is restored before the TTL expires, Himmelblau will also exit breakglass mode automatically.
Password verifiers are only cached if enabled = true before the user authenticates. It is not possible to cache credentials retroactively after an outage has started. Enable this option in advance on any system where offline access may be needed.
Configuration
Add an [offline_breakglass] section to /etc/himmelblau/himmelblau.conf:
[offline_breakglass]
enabled = true
ttl = 2h
| Option | Default | Description |
|---|
enabled | false | When true, Himmelblau caches password verifiers for MFA users and allows offline password authentication during breakglass periods. |
ttl | 7200 (2 hours) | How long breakglass mode stays active after it is triggered. Accepts a number with a suffix: m (minutes), h (hours), d (days). Without a suffix the value is interpreted as seconds. |
Activating breakglass
When Entra ID is unreachable, activate breakglass using aad-tool:
sudo aad-tool offline-breakglass --ttl 2h
2h with however long you expect the outage to last. The TTL format accepts m, h, and d suffixes:
# 90 minutes
sudo aad-tool offline-breakglass --ttl 90m
# 1 day
sudo aad-tool offline-breakglass --ttl 1d
Deactivating breakglass early
To end breakglass before the TTL expires — for example, once network connectivity to Entra ID is restored — set the TTL to zero:
sudo aad-tool offline-breakglass --ttl 0
Security considerations
- Only enable
enabled = true on systems where offline access is a genuine operational requirement.
- Use the shortest TTL that covers your expected outage window.
- Breakglass does not apply to passwordless accounts. If a user has only authenticated using a passwordless method, no password hash exists to cache, and they will not be able to log in offline.
- Consider pairing offline breakglass with disk encryption and physical security controls to reduce the risk of credential exposure on stolen devices.
