Entra flags identity blind spots

Emergency access accounts, office network rules, and old guest logins keep showing up as weak spots in Microsoft Entra tenants. Entra.News pulled those three identity gaps into one April 2026 roundup for administrators reviewing access controls. (entra.news) Microsoft’s own guidance says emergency access, often called “break-glass,” should be limited to rare lockout scenarios and kept separate from day-to-day admin accounts. The company recommends at least two cloud-only emergency accounts with Global Administrator rights so one account failure does not block recovery. (learn.microsoft.com) Microsoft also says those emergency accounts should be excluded from Conditional Access policies and use strong, different protections, including phishing-resistant methods where possible and offline-stored credentials. The point is to preserve a path back in if a policy change, federation outage, or multifactor authentication failure locks out normal admins. (learn.microsoft.com) Conditional Access is Microsoft Entra’s rule engine for sign-ins: it checks signals such as user, app, device, and network location before it allows access. Microsoft documents location controls through “named locations,” which can be built from Internet Protocol ranges or countries and then used in block or allow policies. (learn.microsoft.com, github.com) That makes location logic easy to misread. A trusted office range that is out of date, an exclusion that is broader than intended, or a country-based rule that misses a traffic path can leave sign-ins outside the policy an administrator thought was in force. (learn.microsoft.com) Guest accounts create a different problem: access that was legitimate when a project started can sit untouched long after the work ends. Microsoft Entra’s access review tools let organizations run recurring reviews on guest users in groups and applications so stale external access can be removed on a schedule instead of by manual cleanup. (learn.microsoft.com, learn.microsoft.com) Microsoft’s guest-review guidance is explicit about the scope. Reviews can target guests in a group, guests assigned to an application, or recurring guest reviews across all Microsoft 365 groups, giving administrators a way to catch accounts that no longer have a business sponsor. (learn.microsoft.com) The Entra.News roundup framed the three issues as operational hygiene, not a single new product announcement. Its recommendations were to treat break-glass accounts as their own identity class, test location-based Conditional Access for gaps, and automate guest-account audits before forgotten access turns into an incident. (entra.news)