Skip to main content
The [offline_breakglass] section configures Himmelblau’s emergency offline authentication mechanism, used when Azure Entra ID is unavailable. Offline breakglass allows Entra ID users who normally require multi-factor authentication (MFA) to authenticate with their cached password when the host is offline. This provides a controlled fallback for MFA-only users who would otherwise be unable to sign in during a network outage.
Single-factor (SFA-only) users and Hello PIN users already have offline sign-in capability and are unaffected by this setting. Offline breakglass exists solely to extend limited offline access to MFA-enabled users when network connectivity to Entra ID cannot be established.

How it works

When enabled = true, Himmelblau caches a secure, salted password verifier for MFA-enabled users each time they successfully authenticate online. If Entra ID later becomes unreachable, those users can authenticate using their cached password for the duration specified by ttl. Password verifiers are only stored after a successful online authentication. You must enable this feature and ensure users have logged in at least once while connected before it can be used offline.
Enabling offline breakglass mode carries significant security risk. If a device is stolen or compromised and network access to Entra ID is blocked, an attacker could effectively disable MFA protection by forcing the system into a password-only authentication state. Enable this feature only after careful consideration of your organization’s security posture and offline access requirements.This feature does not apply to passwordless accounts. If an MFA user signs in using a passwordless method, no password verifier exists to cache and offline breakglass cannot function for that user.

Full example

[offline_breakglass]
enabled = true
ttl = 2h

Options

enabled
boolean
default:"false"
Specifies whether offline breakglass mode is permitted.When set to true, Himmelblau caches secure, salted password verifiers for MFA-enabled Entra ID users who successfully authenticate online. These verifiers can then be used to authenticate the same users when Entra ID is unreachable.When set to false, Himmelblau continues to cache password verifiers only for SFA-only users. MFA-enabled users will not be able to authenticate while offline. The aad-tool offline-breakglass command will also have no effect.Administrators must enable this option well in advance of any outage, as password verifiers for MFA users are only stored following a successful online authentication. It is too late to enable this feature once Entra ID is already unreachable.Example: enabled = true
ttl
string
default:"7200"
Specifies how long breakglass mode remains active once triggered. After this period, offline breakglass automatically expires and normal authentication resumes.The value may include a time-unit suffix:
  • m — minutes (for example, 30m)
  • h — hours (for example, 2h)
  • d — days (for example, 1d)
If no suffix is provided, the value is interpreted as seconds. The default of 7200 is equivalent to 2h.Example: ttl = 2h

Activating breakglass mode

Offline breakglass mode is not activated automatically when network connectivity is lost. An administrator must activate it explicitly using aad-tool, passing the desired TTL: 
# Activate for 2 hours
sudo aad-tool offline-breakglass --ttl 2h

# Activate using the TTL from himmelblau.conf
sudo aad-tool offline-breakglass

# Deactivate immediately
sudo aad-tool offline-breakglass --ttl 0
Once activated, it remains in effect for the duration specified by --ttl (or the configured ttl value), after which normal authentication resumes automatically.
enabled = true is a prerequisite for aad-tool offline-breakglass to have any effect. The option controls whether password verifiers are cached; the aad-tool command controls whether those verifiers are currently accepted for authentication.

Build docs developers (and LLMs) love

Get started for freeTalk to us