Have you ever wondered what to do when you lost admin access to your Tenant? Have u got a panic plan or any idea how to act when there’s absolutely no admin access to your tenant anymore? I’ll tell you about this based on my own (recent) experience.
How do you lose access?
There are many reasons why you can lose admin access to your tenant. These are a few things what can happen:
- Configuration mistake (Conditional access policy)
- Lost access to Multi Factor (MFA) device
- Azure MFA service having troubles
- Phone network unavailable (MFA SMS/Voice)
- Administrator left the organization
- Mad admin who removed other admin (roles) or disabled their accounts
Prevent losing access (Break Glass)
Microsoft advises to create at least 2 break glass admin accounts with different authentication methods. It is possible to separate both on MFA methods. Like one is using a OTP code and the other one is using a (FIDO2) security key for example. In this case you are still dependent on the Azure MFA service. It’s in fact a risk..
While we always want admin accounts to use MFA, Microsoft advises to have at least one (global) admin who is excluded from all MFA policies and thus can logon with a username and strong password. I know, it’s contradictory but losing all access is probably worse. Your identity Protection score will suffer from this and generate an advise to configure MFA. Ignore this one cause it is by purpose.
Best practices for Break Glass
- Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the *.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment.
- The emergency access accounts should not be associated with any individual user in the organization.
- The authentication mechanism used for an emergency access account should be distinct from that used by your other administrative accounts. For example, if your normal administrator sign-in is via on-premises MFA, then Azure AD MFA would be a different mechanism.
- The device or credential must not expire or be in scope of automated cleanup due to lack of use.
- You should make the Global Administrator role assignment permanent for your emergency access accounts. Exclude the account from any PIM or time based access requirement.
- Store the passwords in a secure way or lock! Prevent easy access to these passwords! Do not store the passwords of both accounts in the same locker. Probably keep them in a digital (secured) password tool in case the physical location is not accessible.
- Make use of a strong (random) password with at least 16 characters.
More information on Break Glass / Emergency Access can be found here.
What if even my Break Glass admin has no access anymore?
Unless you have a Break Glass account, there are still situations where these accounts are not available. For example if an admin removed the Break Glass accounts, removed their roles, disabled the users, reset the password. Maybe created a new CA policy and forgot to exclude the Break Glass accounts?
Most organizations have a MSP or CSP partner for some technical support and/or a reseller who delivers licenses to your organization. The old DAP relationship (partner relationship) mostly comes with Global Admin and Helpdesk Admin roles. Then check if you have a partner with those roles. They probably still have access and are able to support you.
https://admin.microsoft.com -> Settings -> Partner relationships
Microsoft to the rescue!
But what if there’s absolutely no access anymore? Your partners are unable to support you on this!? What now!? Then, there’s always Microsoft to the rescue! And this is exactly what I experienced a while ago. Brace yourself because this will take a few days! Most time was lost on explaining what the issue is and reaching the department/team who can really help you. Also, the procedure requires Microsoft to wait for at least 1 hour after every step! In this case I can tell you. Ask them to involve the Azure Product Team.. these are the people who can help you!
We had to create a ticket with Microsoft. Unless the severity was High or Business Critical and contacted our account managers to speed up the process, it took me a few days to regain access. The process is something like this based on my current experience:
1: Create a ticket with Microsoft. Give them the tenant ID which is locked out in your description. Tell them that no admin account has access anymore and your partners also have no access anymore. Otherwise this is the first question you will receive from Microsoft support.
2: Ticket is assigned to the Microsoft 365 Data Protection department/team. They verify if you are authorized for this request. There are a few ways to prove you are authorized.
- They try to contact the configure (technical) contact by Phone. They call the phone number which is configured in your tenant information. If you pick up the phone and they are able to verify it’s you, they can proceed to the next team.
- They send an e-mail to one of the Global Admins. If they respond EXACTLY what they ask within an hour the process continues to the next team. If the Global Admin did not respond they send e-mail to all users who have some administrator roles assigned. If they respond EXACTLY what they ask within an hour the process continues to the next team.
- If responding to one of the above e-mails is not possible, they ask you to create a TXT record in one of the verified (custom) domain names in the tenant. The TXT record value must be the exact same date of today (for example: 09-09-2022). Microsoft verifies this by using mxtoolbox.com. If so, the procedure continues.
- After completing the above steps they ask you to deliver the following legal documents. These must be uploaded to a Secure File Exchange link which you receive from Microsoft Support.
3: While being verified tons of times, they assign the case to the Azure Product Team or Office 365 Premier Support team. They ask you to do a failed logon once and send them the Request ID, Correlation ID and timestamp as shown in your failed logon details. This gives them ability to verify your Azure AD Sign-in logs and investigate the actual issue. In my case it was a Conditional Access policy.
And than there’s the moment we’re waiting for.. The ticket is finally escalated to the Azure Product Team or a Microsoft 365 engineer (Tier 3) who will unlock your tenant! In my case they excluded one verified global admin from a specific conditional access policy. I was now able to logon, regained access and immediately modified the CA policy which was causing troubles.
Hi Joey, thanks for your article.
So far my experience has been horrendous with Microsoft support. Would you be able to clarify where you mentioned “Open A Ticket” exactly which options you have selected when raising it?
From another tenant of mine I going to https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview and create a support request from there selecting as options:
Type Technical
Service Azure Active Directory Sign-In and Multi-Factor Authentication
Problem type Conditional Access / Tenant Lockout
Reason for selecting the problem type above is that my issue was caused after trying to enable the new policy to “Require Passwordless Authentication Strength” and didn’t pay enough attention to the potential impact the small note that MFA should would have had + it was really late at night and I thought “oh go on”. Felt like an absolute rookie again.
I have raised this case as a severity A – after purchasing an Azure Support Plan – Standard at 100$ but so far what I have experienced 24 hrs in, is that someone from the team that can do the work calls me (probably from the Azure Product Team you mention) and then when they send the ticket to the Azure Data Protection Team the request goes into an “undefined state” and all my contact details get lost, as this is bounced to all sorts of places.
I have so far opened 3 x cases this way and talked to more people than I’ve talked in 2022 altogether with most of them sounding completely bored with my troubles over the phone.
Was this a similar experience for you? Do you see any issues with how I am raising the case?
Hi Kay,
I picked the same categorie for my ticket. I experienced somewhat the same issues. Telling the first line support my was done like 3 or 4 times.. every time to a different support employee.
It took so much time explaining the issue and telling them (myself) who could solve the issue for me. It costed almost a week!
I had no issues with the ticket it self. But, i did see them closing the ticket and creating new tickets for different departments trough out the whole process.
Maybe i can share some contact information directly with you tomorrow. Maybe it helps to mention their names. These where the people who disabled the conditional access policy which locked me out.
Hi Joey,
Thank you for all this.
Experiencing a very similar issue.
After numerous call backs and waiting and repeating ourselves through the midnight/early am hours…
We are finally (or so we hope) getting to/close to Tier 3.
We have provide the error screen with #53003/CorID,ReqID,etc to the the currently assigned MSFT engineer and they ran some diagnostic tool but it keeps coming back with “sign-in is not a tenant lockout scenario; user who is signed in is not a global administrator in the resource tenant”. We provided a few GA logins, and definitely we know they are GAs. All the same.
Not sure if you went through this phase as well before getting it resolved finally. Would you be able to share those contacts you dealt with, we seem to be stuck at this moment.
I’ll send you a mail!
same experience for us (italy).
Hi Joey
Thank you for the accurate explanation. I also have the exact same problem as the others. Can you forward me this contact information you have from the right Azure team as well?
Thank you!
Hi Nils,
I’ll reply in a personal mail to you.
Dealing with the same, why is this so complex? Does anyone know how long it usually takes before Azure Protection Team contacts you? Are they available 24/7? It’s been almost a week, had numerous calls, tickets etc. and nothing is happening.
Hi James,
I’m not sure about their working hours but i assume they have people across several geo’s. Where you already contacted by the Data Protection Team who is validating all the provided information? You have to handle these requests before you can proceed to the team who is able to solve the issue for you.