I've been locked out of my Microsoft 365 tenant for over 24 hours, along with two other Global Administrators, and I'm in desperate need of help. Here's what happened: following a hack where a tenant's MFA was turned off, an admin re-enabled MFA and set a Conditional Access policy that requires domain-joined devices to sign in. I confirmed all my devices are domain joined, but after agreeing to this policy, I found myself locked out along with the others. I've been calling Microsoft support nonstop for assistance but have received no communication. I've even attempted multiple automated systems and have submitted support tickets, but nothing seems to work. I've tried various methods like using Azure CLI and mobile logins, but they've all failed. I'm based in Japan, and with my business operations halted for 24 hours, I'm looking for any direct contacts within Microsoft or MVPs to help escalate this issue and get the Conditional Access policy disabled. Any insights or advice would be greatly appreciated!
5 Answers
Unfortunately, getting this sorted isn't a quick fix. It usually involves weeks of identity verification through DNS and other means. Best bet is working closely with the Microsoft Data Protection Team.
Once you regain access, consider these steps: set up a proper emergency access account, hire someone skilled in managing Microsoft 365, or find a third-party service that can directly liaise with Microsoft.
Your account being the 'break-glass' for emergencies is a bit concerning, but it seems it wasn't set up correctly. These policies can be tricky, especially since they mitigate certain access based on roles and conditions. You might want to clarify your settings with your team to prevent this from happening again.
Yeah, using a personal account as a break-glass isn't ideal. You should definitely have a dedicated account that’s exempt from any Conditional Access policies.
Sounds like a tough spot. Best practice is having that account with no MFA, secure it with a strong password, and monitor its usage closely.
You really should look into hiring a managed service provider (MSP) to help manage your Microsoft tenant in the future; it pays off when these emergencies arise.
It sounds like you need to get in touch with the data protection team directly at 1-866-807-5850. Unfortunately, this isn't usually resolved quickly; it can take weeks to get access restored.
I recently assisted a client with this, and they managed to recover access in about 72 hours, so don't lose hope!
I spoke with someone using a different number, specifically 1-877-696-7676, which worked for me, but it sounds like you're already on it.
And don’t forget red flags like having regular user accounts as emergency access! Always better to use dedicated accounts.