Have you ever wondered what to do when you lost admin access to your Tenant? Have u got a panic plan or any idea how to act when there’s absolutely no admin access to your tenant anymore? I’ll tell you about this based on my own (recent) experience.
How do you lose access?
There are many reasons why you can lose admin access to your tenant. These are a few things what can happen:
- Configuration mistake (Conditional access policy)
- Lost access to Multi Factor (MFA) device
- Azure MFA service having troubles
- Phone network unavailable (MFA SMS/Voice)
- Administrator left the organization
- Mad admin who removed other admin (roles) or disabled their accounts
Prevent losing access (Break Glass)
Microsoft advises to create at least 2 break glass admin accounts with different authentication methods. It is possible to separate both on MFA methods. Like one is using a OTP code and the other one is using a (FIDO2) security key for example. In this case you are still dependent on the Azure MFA service. It’s in fact a risk..
While we always want admin accounts to use MFA, Microsoft advises to have at least one (global) admin who is excluded from all MFA policies and thus can logon with a username and strong password. I know, it’s contradictory but losing all access is probably worse. Your identity Protection score will suffer from this and generate an advise to configure MFA. Ignore this one cause it is by purpose.
Best practices for Break Glass
- Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the *.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment.
- The emergency access accounts should not be associated with any individual user in the organization.
- The authentication mechanism used for an emergency access account should be distinct from that used by your other administrative accounts. For example, if your normal administrator sign-in is via on-premises MFA, then Azure AD MFA would be a different mechanism.
- The device or credential must not expire or be in scope of automated cleanup due to lack of use.
- You should make the Global Administrator role assignment permanent for your emergency access accounts. Exclude the account from any PIM or time based access requirement.
- Store the passwords in a secure way or lock! Prevent easy access to these passwords! Do not store the passwords of both accounts in the same locker. Probably keep them in a digital (secured) password tool in case the physical location is not accessible.
- Make use of a strong (random) password with at least 16 characters.
More information on Break Glass / Emergency Access can be found here.
What if even my Break Glass admin has no access anymore?
Unless you have a Break Glass account, there are still situations where these accounts are not available. For example if an admin removed the Break Glass accounts, removed their roles, disabled the users, reset the password. Maybe created a new CA policy and forgot to exclude the Break Glass accounts?
Most organizations have a MSP or CSP partner for some technical support and/or a reseller who delivers licenses to your organization. The old DAP relationship (partner relationship) mostly comes with Global Admin and Helpdesk Admin roles. Then check if you have a partner with those roles. They probably still have access and are able to support you.
https://admin.microsoft.com -> Settings -> Partner relationships
Microsoft to the rescue!
But what if there’s absolutely no access anymore? Your partners are unable to support you on this!? What now!? Then, there’s always Microsoft to the rescue! And this is exactly what I experienced a while ago. Brace yourself because this will take a few days! Most time was lost on explaining what the issue is and reaching the department/team who can really help you. Also, the procedure requires Microsoft to wait for at least 1 hour after every step! In this case I can tell you. Ask them to involve the Azure Product Team.. these are the people who can help you!
We had to create a ticket with Microsoft. Unless the severity was High or Business Critical and contacted our account managers to speed up the process, it took me a few days to regain access. The process is something like this based on my current experience:
1: Create a ticket with Microsoft. Give them the tenant ID which is locked out in your description. Tell them that no admin account has access anymore and your partners also have no access anymore. Otherwise this is the first question you will receive from Microsoft support.
2: Ticket is assigned to the Microsoft 365 Data Protection department/team. They verify if you are authorized for this request. There are a few ways to prove you are authorized.
- They try to contact the configure (technical) contact by Phone. They call the phone number which is configured in your tenant information. If you pick up the phone and they are able to verify it’s you, they can proceed to the next team.
- They send an e-mail to one of the Global Admins. If they respond EXACTLY what they ask within an hour the process continues to the next team. If the Global Admin did not respond they send e-mail to all users who have some administrator roles assigned. If they respond EXACTLY what they ask within an hour the process continues to the next team.
- If responding to one of the above e-mails is not possible, they ask you to create a TXT record in one of the verified (custom) domain names in the tenant. The TXT record value must be the exact same date of today (for example: 09-09-2022). Microsoft verifies this by using mxtoolbox.com. If so, the procedure continues.
- After completing the above steps they ask you to deliver the following legal documents. These must be uploaded to a Secure File Exchange link which you receive from Microsoft Support.
3: While being verified tons of times, they assign the case to the Azure Product Team or Office 365 Premier Support team. They ask you to do a failed logon once and send them the Request ID, Correlation ID and timestamp as shown in your failed logon details. This gives them ability to verify your Azure AD Sign-in logs and investigate the actual issue. In my case it was a Conditional Access policy.
And than there’s the moment we’re waiting for.. The ticket is finally escalated to the Azure Product Team or a Microsoft 365 engineer (Tier 3) who will unlock your tenant! In my case they excluded one verified global admin from a specific conditional access policy. I was now able to logon, regained access and immediately modified the CA policy which was causing troubles.
Hi Joey, thanks for your article.
So far my experience has been horrendous with Microsoft support. Would you be able to clarify where you mentioned “Open A Ticket” exactly which options you have selected when raising it?
From another tenant of mine I going to https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview and create a support request from there selecting as options:
Type Technical
Service Azure Active Directory Sign-In and Multi-Factor Authentication
Problem type Conditional Access / Tenant Lockout
Reason for selecting the problem type above is that my issue was caused after trying to enable the new policy to “Require Passwordless Authentication Strength” and didn’t pay enough attention to the potential impact the small note that MFA should would have had + it was really late at night and I thought “oh go on”. Felt like an absolute rookie again.
I have raised this case as a severity A – after purchasing an Azure Support Plan – Standard at 100$ but so far what I have experienced 24 hrs in, is that someone from the team that can do the work calls me (probably from the Azure Product Team you mention) and then when they send the ticket to the Azure Data Protection Team the request goes into an “undefined state” and all my contact details get lost, as this is bounced to all sorts of places.
I have so far opened 3 x cases this way and talked to more people than I’ve talked in 2022 altogether with most of them sounding completely bored with my troubles over the phone.
Was this a similar experience for you? Do you see any issues with how I am raising the case?
Hi Kay,
I picked the same categorie for my ticket. I experienced somewhat the same issues. Telling the first line support my was done like 3 or 4 times.. every time to a different support employee.
It took so much time explaining the issue and telling them (myself) who could solve the issue for me. It costed almost a week!
I had no issues with the ticket it self. But, i did see them closing the ticket and creating new tickets for different departments trough out the whole process.
Maybe i can share some contact information directly with you tomorrow. Maybe it helps to mention their names. These where the people who disabled the conditional access policy which locked me out.
Hi Joey,
Thank you for all this.
Experiencing a very similar issue.
After numerous call backs and waiting and repeating ourselves through the midnight/early am hours…
We are finally (or so we hope) getting to/close to Tier 3.
We have provide the error screen with #53003/CorID,ReqID,etc to the the currently assigned MSFT engineer and they ran some diagnostic tool but it keeps coming back with “sign-in is not a tenant lockout scenario; user who is signed in is not a global administrator in the resource tenant”. We provided a few GA logins, and definitely we know they are GAs. All the same.
Not sure if you went through this phase as well before getting it resolved finally. Would you be able to share those contacts you dealt with, we seem to be stuck at this moment.
I’ll send you a mail!
same experience for us (italy).
Hi Joey
Thank you for the accurate explanation. I also have the exact same problem as the others. Can you forward me this contact information you have from the right Azure team as well?
Thank you!
Hi Nils,
I’ll reply in a personal mail to you.
Dealing with the same, why is this so complex? Does anyone know how long it usually takes before Azure Protection Team contacts you? Are they available 24/7? It’s been almost a week, had numerous calls, tickets etc. and nothing is happening.
Hi James,
I’m not sure about their working hours but i assume they have people across several geo’s. Where you already contacted by the Data Protection Team who is validating all the provided information? You have to handle these requests before you can proceed to the team who is able to solve the issue for you.
Hi Nils, might you be able to share the contact info via email – same issue here.
Thanks,
Anton
Hi Anton,
I only share these by mail. Please contact me by mail/linkedin if you need them.
Hi Joey.
Could you share that info with me? I’m completely stuck with Microsoft Support.
Latest information sent hours ago was the extended info of a failed login. Am I close to the finish lane?
Thank you.
Hi Javi,
In that case you are probably at the last step. I assume you will have access again today or tomorrow.
I’m afraid that it’s not the final step because in the last email that Microsoft Support send us they said: “What they will do once they get with you and confirm you are a rightful GA on the tenant is they will make you excluded from the CAP so that you can go in and fix it as you mentioned.”
Do you think they still have to validate our identity?
Thanks Joey.
In that case they might have changed the procedure. Have you sent copies of passports already?
Might be able so share something but i’m figering out where in the process you are right now.
Hi Javi,
How much time did it take you? I locked myself out because of a (location based) Conditional Access policy. What is your experience?
Regards,
Lars
Hi Joey,
Zelfde probleem hier. Ik ben wel gebeld door een Microsoft engineer en ik denk dat ze het naar Data Protection Team hebben geëscaleerd maar ik zal moeten wachten op een reactie.
Dit is echt enorm frustrerend maar ik heb het toch echt zelf veroorzaakt…
Hi Lars,
De procedure is helaas heel strict. Eigenlijk maar goed ook. Als alles mee zit en je zelf snel kan handelen (kopie paspoorten, kvk gegevens, etc) dan mag je uitgaan van minimaal een week. Ik ken echter ook gevallen die langer dan een maand hebben geduurd.. be prepared.
Kun je eventueel een VM opstarten in een andere tenant en andere GEO welke om je fout heen kan? Kun je evt wat toelichten over je fout? Wellicht kan ik nog wat voor je betekenen.
Hi Joey,
thank you for this blog post. We are currently in the same situation. Managed through our partner to create a ticket and it seems to be placed at Dataprotection team, but no reply call since 2 days. Read somewhere you have a direct contact? Might you to share it with email with me?
Best regards
Hi Andre,
I’ll send you an e-mail.
Would love the contacts also
Hi,
for all of you beeing in this situation. MS can restore access, it´s just a pain of reaching support and in the correct time zone. Our ticket was 3 days in the Data Protection team queue before a Engineer was assigned to it. Then through the day, access was restored.
Hope that will help you.
Do you get a choice of being assigned to the correct time zone? I only ever get a call from the States (if I’m really lucky). We are 8 days into this and still no resolution. We passed data protection requirements 7 days ago and since then, we have an engineer not understand txt records, two failed attempts to add an exception and then assigned to the wrong team. 8 days is ridiculous, as it was a priority A ticket. We have multiple tickets, as Microsoft close them to avoid going over the SLA’s
Hi
We are in the same situation, all global admins are blocked by a conditional access policy. We are struggling to get an engineer to disable the policy and nothing has happened so far.
Could you provide the contact details you have at Microsoft?
Can I please also have the contact details for Microsoft. A conditional access blocked all of our Global Admins.
Thank you very much!
My experience I am certain is the most horrendous and not over even after no less than EIGHT days!!
I passed verification after 24 hours. Great! Or so I thought. Had no response as promised but managed to speak to the Data Protection Team (DPT) the following day. I was asked to put in ANOTHER txt record for an SMTP pointer. Clearly these guys hadn’t bothered to check MXToolbox, which showed this pointer was managed in our tenant and is simply a SaaS for appending signatures to emails. It shows the host as ns3-03.azure-dns.org, yet I was asked to contact Go Daddy!! I even sent in screenshots to verify the TXT record that had been added for our actual domain and the screenshot for the pointer, which is hosted in Azure. FIVE days after much calling (60+ calls), promises of engineer call back (I’d get a random call to say “an engineer handling the case will call), no call. Eventually, the MS partner had a crack at it himself and put another ticket of Priority A in. This was day 6. He called with the great news, it would be handled by the end of the day. The verification was complete on this day and our original TXT record for our domain was accepted. That was TWO days ago. We didn’t get any calls to unlock the Tenant. The only update has been ANOTHER ticket created (THIRD so far), as the Team assigned to the second Priority A ticket failed twice to unlock the Tenant. The lockout has been caused by Phishing Resistant MFA. I checked with Microsoft first whether the ‘strong authentication’ that was required included Microsoft Authenticator and it does. They can’t figure out why this would lock up out, but why they can’t just disable the policy as a starting point, I can’t fathom. Any ideas, as EIGHT days in is getting beyond a joke, especially considering the verification and TXT record were complete after 24 hours!!! The partner has just advised he’s got through to someone to be told “it’s with the back end team” and, get this – “the ticket has only been opened since yesterday”.
I’m sorry to hear that. This must be an insane situation for you. Is the business running or is everyone completely out of business?
Having several tickets is something i have seen before. No worries.. If a department handled a case they close it and create a new one internally for the other department. That’s simply how they work..
Have you contacted your Microsoft contact or asked the partner to do this? If there is a business outage they might raise the priority. Keep in mind that prio A is only if you are 24/7 available! If you don’t agree with that the ticket stays at sev B.
Now, this just gets even better. I dare anyone to beat this. They’ve assigned the THIRD ticket to the wrong team, so now we have a FOURTH ticket and will need to pass verification AGAIN! F%f&*?!@
And then after two hours on hold, the partner gets cut off. Microsoft, you are a disgrace.
Partners can’t do much except for pushing their contacts. Because of the data protection/compliancy they cannot create a ticket for you in this situation.
Hi Joey
Two things:
1 How does one determine the Tenant ID if one has no access due to being locked out of the tenant?
2 If the tenant ID cannot be retrieved, what other means are there of getting this issue resolved?
Thanks.