I've recently taken on the role of Head of IT for a company that's transitioning from being fully supported by a Managed Service Provider (MSP) to managing the IT function in-house. We aren't scheduled to completely offboard from the MSP until February, and we've been using Azure PIM for admin elevation in our MS365 tenant. So far, I haven't set up a break glass global admin account since I wanted to keep things smooth with the MSP. However, they've revoked our Azure P2 licenses, and now we're unable to access PIM roles or get global admin into the O365 tenant. When I reached out to Microsoft Support for an admin takeover, they informed me that since the MSP is still listed as our partner, they can't proceed due to potential unpaid invoices. They closed the case, stating they wouldn't get involved in any disputes. I asked the MSP for help, but they claim their GDAP access has been revoked. I'm at a bit of a dead end and could really use some advice here!
5 Answers
You might want to involve legal here. From what you’ve described, it seems like the MSP acted prematurely in revoking your licenses. They might be liable for this mess.
It sounds like a break glass account should have been prioritized. Even if the MSP was supposed to support you until February, it seems risky not to have set one up right away. Maintaining a good relationship with the MSP is important, but rushing this transition can lead to complications. Hopefully, you can get your access restored soon!
The MSP should definitely open a support case with Microsoft for you. They might still have some sort of access as a partner, even if it's limited now. It could be related to license expiration or a shift in their own policies as you come closer to the offboard date. Also, why wasn't there a break glass account created when they were still managing the system? That's a standard precaution that should have been in place.
You really need to sort out their access first before any takeover can happen. Once you get that cleared up, make sure to set up an emergency admin account to avoid this kind of situation in the future!
Getting the MSP to file a support ticket with Microsoft is key here. They should have access to Premier support and can help recover the global admin role. Just ensure they include your existing case number so everything is linked properly.
I agree, it sounds like a legal oversight on their part. If they have revoked access without proper process, that could be a real issue!