From 0221316112aa682a8cfb2d1148dc20b352b788f7 Mon Sep 17 00:00:00 2001
From: jonwbstr <jon.wbstr@gmail.com>
Date: Fri, 8 Aug 2025 18:24:36 -0400
Subject: [PATCH 1/2] Update security-emergency-access.md

According to ticket 2502260010001012 this article describes the workaround of using the break glass account to forward admin email notifications to admin accounts configured with PIM, or following Microsoft's guidance to have separate unlicensed global admin accounts and licensed mail-enabled users with no admin roles found in the following article

https://learn.microsoft.com/en-us/microsoft-365/business-premium/m365bp-protect-admin-accounts?view=o365-worldwide#create-a-user-account-for-yourself
---
 .../security-emergency-access.md                          | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs/identity/role-based-access-control/security-emergency-access.md b/docs/identity/role-based-access-control/security-emergency-access.md
index 5df2da0f998..0ca131fd3bc 100644
--- a/docs/identity/role-based-access-control/security-emergency-access.md
+++ b/docs/identity/role-based-access-control/security-emergency-access.md
@@ -29,6 +29,7 @@ An organization might need to use an emergency access account in the following s
 - The person with the most recent Global Administrator access has left the organization. Microsoft Entra ID prevents the last Global Administrator account from being deleted, but it doesn't prevent the account from being deleted or disabled on-premises. Either situation might make the organization unable to recover the account.
 - Unforeseen circumstances such as a natural disaster emergency, during which a mobile phone or other networks might be unavailable.
 - If role assignments for Global Administrator and Privileged Role Administrator roles are eligible, approval is required for activation, but no approvers are selected (or all approvers are removed from the directory). Active Global Administrators and Privileged Role Administrators are default approvers. But there will be no active Global Administrators and Privileged Role Administrators and administration of the tenant will effectively be locked, unless emergency access accounts are used.
+- Organization has unlicensed Global Administrators who need to receive admin Email Notifications. Only licensed Global Admininstrator accounts receive email notifications and using a mail-enabled break glass account to forward mail to unlicensed Global Administrors is the recommended solution.
 
 ## Create emergency access accounts
 
@@ -57,6 +58,13 @@ Create two or more emergency access accounts. These accounts should be cloud-onl
 
 1. [Validate accounts regularly](#validate-accounts-regularly).
 
+## Forward Admin Email Notifications to administrators using PIM or with separate unlicensed global admin accounts
+1. Make the account a shared mailbox
+   
+1. Create a distribution group containing the licensed user account for users who use PIM or have seaprate unlicensed admin accounts
+   
+1. Forward mail from the breakglass account to the distribution group created in the step above
+
 ## Configuration requirements
 
 When you configure these accounts, the following requirements must be met:

From 6aca61c49d662a566beb8a9933c33c52ed78198d Mon Sep 17 00:00:00 2001
From: jonwbstr <jon.wbstr@gmail.com>
Date: Fri, 8 Aug 2025 18:54:19 -0400
Subject: [PATCH 2/2] Update security-emergency-access.md

---
 .../security-emergency-access.md                      | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/docs/identity/role-based-access-control/security-emergency-access.md b/docs/identity/role-based-access-control/security-emergency-access.md
index 0ca131fd3bc..f05e06575ff 100644
--- a/docs/identity/role-based-access-control/security-emergency-access.md
+++ b/docs/identity/role-based-access-control/security-emergency-access.md
@@ -29,7 +29,8 @@ An organization might need to use an emergency access account in the following s
 - The person with the most recent Global Administrator access has left the organization. Microsoft Entra ID prevents the last Global Administrator account from being deleted, but it doesn't prevent the account from being deleted or disabled on-premises. Either situation might make the organization unable to recover the account.
 - Unforeseen circumstances such as a natural disaster emergency, during which a mobile phone or other networks might be unavailable.
 - If role assignments for Global Administrator and Privileged Role Administrator roles are eligible, approval is required for activation, but no approvers are selected (or all approvers are removed from the directory). Active Global Administrators and Privileged Role Administrators are default approvers. But there will be no active Global Administrators and Privileged Role Administrators and administration of the tenant will effectively be locked, unless emergency access accounts are used.
-- Organization has unlicensed Global Administrators who need to receive admin Email Notifications. Only licensed Global Admininstrator accounts receive email notifications and using a mail-enabled break glass account to forward mail to unlicensed Global Administrors is the recommended solution.
+- Global Administrators are using separate unlicensed admin accounts which do not receive Admin Email Notifications.
+- Global Administrators are using Privilaged Identity Management (PIM) for **just-in-time** access to admininistrative roles such as Global Administrator and also need to receive Admin Email Notifications.
 
 ## Create emergency access accounts
 
@@ -58,10 +59,12 @@ Create two or more emergency access accounts. These accounts should be cloud-onl
 
 1. [Validate accounts regularly](#validate-accounts-regularly).
 
-## Forward Admin Email Notifications to administrators using PIM or with separate unlicensed global admin accounts
-1. Make the account a shared mailbox
+## Forward Admin Email Notifications
+This workaround is only intended for customers using [PIM](/entra/id-governance/privileged-identity-management/pim-configure) and/or [separate administrator accounts](/microsoft-365/business-premium/m365bp-protect-admin-accounts?view=o365-worldwide&source=docs#protect-admin-accounts)
+
+1. Make the break-glass account a shared mailbox
    
-1. Create a distribution group containing the licensed user account for users who use PIM or have seaprate unlicensed admin accounts
+1. Create a Distribution List and add the licensed user accounts of any administrators using PIM and/or separate administraor accounts.
    
 1. Forward mail from the breakglass account to the distribution group created in the step above