Have you ever wondered what to do when you lost admin access to your Tenant? Have u got a panic plan or any idea how to act when there’s absolutely no admin access to your tenant anymore? I’ll tell you about this based on my own (recent) experience.
How do you lose access?
There are many reasons why you can lose admin access to your tenant. These are a few things what can happen:
- Configuration mistake (Conditional access policy)
- Lost access to Multi Factor (MFA) device
- Azure MFA service having troubles
- Phone network unavailable (MFA SMS/Voice)
- Administrator left the organization
- Mad admin who removed other admin (roles) or disabled their accounts
Prevent losing access (Break Glass)
Microsoft advises to create at least 2 break glass admin accounts with different authentication methods. It is possible to separate both on MFA methods. Like one is using a OTP code and the other one is using a (FIDO2) security key for example. In this case you are still dependent on the Azure MFA service. It’s in fact a risk..
While we always want admin accounts to use MFA, Microsoft advises to have at least one (global) admin who is excluded from all MFA policies and thus can logon with a username and strong password. I know, it’s contradictory but losing all access is probably worse. Your identity Protection score will suffer from this and generate an advise to configure MFA. Ignore this one cause it is by purpose.
Best practices for Break Glass
- Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the *.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment.
- The emergency access accounts should not be associated with any individual user in the organization.
- The authentication mechanism used for an emergency access account should be distinct from that used by your other administrative accounts. For example, if your normal administrator sign-in is via on-premises MFA, then Azure AD MFA would be a different mechanism.
- The device or credential must not expire or be in scope of automated cleanup due to lack of use.
- You should make the Global Administrator role assignment permanent for your emergency access accounts. Exclude the account from any PIM or time based access requirement.
- Store the passwords in a secure way or lock! Prevent easy access to these passwords! Do not store the passwords of both accounts in the same locker. Probably keep them in a digital (secured) password tool in case the physical location is not accessible.
- Make use of a strong (random) password with at least 16 characters.
More information on Break Glass / Emergency Access can be found here.
What if even my Break Glass admin has no access anymore?
Unless you have a Break Glass account, there are still situations where these accounts are not available. For example if an admin removed the Break Glass accounts, removed their roles, disabled the users, reset the password. Maybe created a new CA policy and forgot to exclude the Break Glass accounts?
Most organizations have a MSP or CSP partner for some technical support and/or a reseller who delivers licenses to your organization. The old DAP relationship (partner relationship) mostly comes with Global Admin and Helpdesk Admin roles. Then check if you have a partner with those roles. They probably still have access and are able to support you.
https://admin.microsoft.com -> Settings -> Partner relationships
Microsoft to the rescue!
Update: Because of confidentially the process/steps are removed from the blog.
But what if there’s absolutely no access anymore? Your partners are unable to support you on this!? What now!? Then, there’s always Microsoft to the rescue! And this is exactly what I experienced a while ago. Brace yourself because this can take a few days!
Microsoft will verify your identity first, to make sure you are the right person in this situation. I am not allowed to share the process anymore, because of security reasons. As soon as your identity is verified by Microsoft, your ticket will be hand over to a support engineer who can solve the tenant lock-out by for example reverting a change.
Hi Joey, thanks for your article.
So far my experience has been horrendous with Microsoft support. Would you be able to clarify where you mentioned “Open A Ticket” exactly which options you have selected when raising it?
From another tenant of mine I going to https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview and create a support request from there selecting as options:
Type Technical
Service Azure Active Directory Sign-In and Multi-Factor Authentication
Problem type Conditional Access / Tenant Lockout
Reason for selecting the problem type above is that my issue was caused after trying to enable the new policy to “Require Passwordless Authentication Strength” and didn’t pay enough attention to the potential impact the small note that MFA should would have had + it was really late at night and I thought “oh go on”. Felt like an absolute rookie again.
I have raised this case as a severity A – after purchasing an Azure Support Plan – Standard at 100$ but so far what I have experienced 24 hrs in, is that someone from the team that can do the work calls me (probably from the Azure Product Team you mention) and then when they send the ticket to the Azure Data Protection Team the request goes into an “undefined state” and all my contact details get lost, as this is bounced to all sorts of places.
I have so far opened 3 x cases this way and talked to more people than I’ve talked in 2022 altogether with most of them sounding completely bored with my troubles over the phone.
Was this a similar experience for you? Do you see any issues with how I am raising the case?
same experience for us (italy).
Dealing with the same, why is this so complex? Does anyone know how long it usually takes before Azure Protection Team contacts you? Are they available 24/7? It’s been almost a week, had numerous calls, tickets etc. and nothing is happening.
Hi James,
I’m not sure about their working hours but i assume they have people across several geo’s. Where you already contacted by the Data Protection Team who is validating all the provided information? You have to handle these requests before you can proceed to the team who is able to solve the issue for you.
Hi Joey,
Zelfde probleem hier. Ik ben wel gebeld door een Microsoft engineer en ik denk dat ze het naar Data Protection Team hebben geëscaleerd maar ik zal moeten wachten op een reactie.
Dit is echt enorm frustrerend maar ik heb het toch echt zelf veroorzaakt…
Hi Lars,
De procedure is helaas heel strict. Eigenlijk maar goed ook. Als alles mee zit en je zelf snel kan handelen (kopie paspoorten, kvk gegevens, etc) dan mag je uitgaan van minimaal een week. Ik ken echter ook gevallen die langer dan een maand hebben geduurd.. be prepared.
Kun je eventueel een VM opstarten in een andere tenant en andere GEO welke om je fout heen kan? Kun je evt wat toelichten over je fout? Wellicht kan ik nog wat voor je betekenen.
Hi Javi,
How much time did it take you? I locked myself out because of a (location based) Conditional Access policy. What is your experience?
Regards,
Lars
Hi,
for all of you beeing in this situation. MS can restore access, it´s just a pain of reaching support and in the correct time zone. Our ticket was 3 days in the Data Protection team queue before a Engineer was assigned to it. Then through the day, access was restored.
Hope that will help you.
Do you get a choice of being assigned to the correct time zone? I only ever get a call from the States (if I’m really lucky). We are 8 days into this and still no resolution. We passed data protection requirements 7 days ago and since then, we have an engineer not understand txt records, two failed attempts to add an exception and then assigned to the wrong team. 8 days is ridiculous, as it was a priority A ticket. We have multiple tickets, as Microsoft close them to avoid going over the SLA’s
My experience I am certain is the most horrendous and not over even after no less than EIGHT days!!
I passed verification after 24 hours. Great! Or so I thought. Had no response as promised but managed to speak to the Data Protection Team (DPT) the following day. I was asked to put in ANOTHER txt record for an SMTP pointer. Clearly these guys hadn’t bothered to check MXToolbox, which showed this pointer was managed in our tenant and is simply a SaaS for appending signatures to emails. It shows the host as ns3-03.azure-dns.org, yet I was asked to contact Go Daddy!! I even sent in screenshots to verify the TXT record that had been added for our actual domain and the screenshot for the pointer, which is hosted in Azure. FIVE days after much calling (60+ calls), promises of engineer call back (I’d get a random call to say “an engineer handling the case will call), no call. Eventually, the MS partner had a crack at it himself and put another ticket of Priority A in. This was day 6. He called with the great news, it would be handled by the end of the day. The verification was complete on this day and our original TXT record for our domain was accepted. That was TWO days ago. We didn’t get any calls to unlock the Tenant. The only update has been ANOTHER ticket created (THIRD so far), as the Team assigned to the second Priority A ticket failed twice to unlock the Tenant. The lockout has been caused by Phishing Resistant MFA. I checked with Microsoft first whether the ‘strong authentication’ that was required included Microsoft Authenticator and it does. They can’t figure out why this would lock up out, but why they can’t just disable the policy as a starting point, I can’t fathom. Any ideas, as EIGHT days in is getting beyond a joke, especially considering the verification and TXT record were complete after 24 hours!!! The partner has just advised he’s got through to someone to be told “it’s with the back end team” and, get this – “the ticket has only been opened since yesterday”.
I’m sorry to hear that. This must be an insane situation for you. Is the business running or is everyone completely out of business?
Having several tickets is something i have seen before. No worries.. If a department handled a case they close it and create a new one internally for the other department. That’s simply how they work..
Have you contacted your Microsoft contact or asked the partner to do this? If there is a business outage they might raise the priority. Keep in mind that prio A is only if you are 24/7 available! If you don’t agree with that the ticket stays at sev B.
Now, this just gets even better. I dare anyone to beat this. They’ve assigned the THIRD ticket to the wrong team, so now we have a FOURTH ticket and will need to pass verification AGAIN! F%f&*?!@
And then after two hours on hold, the partner gets cut off. Microsoft, you are a disgrace.
Partners can’t do much except for pushing their contacts. Because of the data protection/compliancy they cannot create a ticket for you in this situation.
Hi Joey
Two things:
1 How does one determine the Tenant ID if one has no access due to being locked out of the tenant?
2 If the tenant ID cannot be retrieved, what other means are there of getting this issue resolved?
Thanks.