What happens if you lock-out your Azure Tenant?

Have you ever wondered what to do when you lost admin access to your Tenant? Have u got a panic plan or any idea how to act when there’s absolutely no admin access to your tenant anymore? I’ll tell you about this based on my own (recent) experience.

How do you lose access?

There are many reasons why you can lose admin access to your tenant. These are a few things what can happen:

• Configuration mistake (Conditional access policy)
• Lost access to Multi Factor (MFA) device
• Azure MFA service having troubles
• Phone network unavailable (MFA SMS/Voice)
• Administrator left the organization
• Mad admin who removed other admin (roles) or disabled their accounts

Prevent losing access (Break Glass)

Microsoft advises to create at least 2 break glass admin accounts with different authentication methods. It is possible to separate both on MFA methods. Like one is using a OTP code and the other one is using a (FIDO2) security key for example. In this case you are still dependent on the Azure MFA service. It’s in fact a risk..

While we always want admin accounts to use MFA, Microsoft advises to have at least one (global) admin who is excluded from all MFA policies and thus can logon with a username and strong password. I know, it’s contradictory but losing all access is probably worse. Your identity Protection score will suffer from this and generate an advise to configure MFA. Ignore this one cause it is by purpose.

Best practices for Break Glass

• Create two or more emergency access accounts. These accounts should be cloud-only accounts that use the *.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment.​

• The emergency access accounts should not be associated with any individual user in the organization.​

• The authentication mechanism used for an emergency access account should be distinct from that used by your other administrative accounts. For example, if your normal administrator sign-in is via on-premises MFA, then Azure AD MFA would be a different mechanism.​

• The device or credential must not expire or be in scope of automated cleanup due to lack of use.​

• You should make the Global Administrator role assignment permanent for your emergency access accounts. Exclude the account from any PIM or time based access requirement.

• Store the passwords in a secure way or lock! Prevent easy access to these passwords! Do not store the passwords of both accounts in the same locker. Probably keep them in a digital (secured) password tool in case the physical location is not accessible.

• Make use of a strong (random) password with at least 16 characters.

More information on Break Glass / Emergency Access can be found here.

What if even my Break Glass admin has no access anymore?

Unless you have a Break Glass account, there are still situations where these accounts are not available. For example if an admin removed the Break Glass accounts, removed their roles, disabled the users, reset the password. Maybe created a new CA policy and forgot to exclude the Break Glass accounts?

Most organizations have a MSP or CSP partner for some technical support and/or a reseller who delivers licenses to your organization. The old DAP relationship (partner relationship) mostly comes with Global Admin and Helpdesk Admin roles. Then check if you have a partner with those roles. They probably still have access and are able to support you.

https://admin.microsoft.com -> Settings -> Partner relationships

Microsoft to the rescue!

But what if there’s absolutely no access anymore? Your partners are unable to support you on this!? What now!? Then, there’s always Microsoft to the rescue! And this is exactly what I experienced a while ago. Brace yourself because this will take a few days! Most time was lost on explaining what the issue is and reaching the department/team who can really help you. Also, the procedure requires Microsoft to wait for at least 1 hour after every step! In this case I can tell you. Ask them to involve the Azure Product Team.. these are the people who can help you!

We had to create a ticket with Microsoft. Unless the severity was High or Business Critical and contacted our account managers to speed up the process, it took me a few days to regain access. The process is something like this based on my current experience:

1: Create a ticket with Microsoft. Give them the tenant ID which is locked out in your description. Tell them that no admin account has access anymore and your partners also have no access anymore. Otherwise this is the first question you will receive from Microsoft support.

2: Ticket is assigned to the Microsoft 365 Data Protection department/team. They verify if you are authorized for this request. There are a few ways to prove you are authorized.

• They try to contact the configure (technical) contact by Phone. They call the phone number which is configured in your tenant information. If you pick up the phone and they are able to verify it’s you, they can proceed to the next team.
• They send an e-mail to one of the Global Admins. If they respond EXACTLY what they ask within an hour the process continues to the next team. If the Global Admin did not respond they send e-mail to all users who have some administrator roles assigned. If they respond EXACTLY what they ask within an hour the process continues to the next team.
• If responding to one of the above e-mails is not possible, they ask you to create a TXT record in one of the verified (custom) domain names in the tenant. The TXT record value must be the exact same date of today (for example: 09-09-2022). Microsoft verifies this by using mxtoolbox.com. If so, the procedure continues.
• After completing the above steps they ask you to deliver the following legal documents. These must be uploaded to a Secure File Exchange link which you receive from Microsoft Support.

3: While being verified tons of times, they assign the case to the Azure Product Team or Office 365 Premier Support team. They ask you to do a failed logon once and send them the Request ID, Correlation ID and timestamp as shown in your failed logon details. This gives them ability to verify your Azure AD Sign-in logs and investigate the actual issue. In my case it was a Conditional Access policy.

And than there’s the moment we’re waiting for.. The ticket is finally escalated to the Azure Product Team or a Microsoft 365 engineer (Tier 3) who will unlock your tenant! In my case they excluded one verified global admin from a specific conditional access policy. I was now able to logon, regained access and immediately modified the CA policy which was causing troubles.