I made a rookie mistake today by activating a Conditional Access Policy and now I've locked my whole company out of our Microsoft tenant. Unfortunately, we don't have any break-glass accounts set up. I've been trying unsuccessfully all day to contact Microsoft for assistance. Does anyone have any direct contacts, email addresses, or anything that could help us regain access? I'm really desperate!
**UPDATE:** Microsoft managed to restore our access! After verifying my identity through a few emails, they resolved the issue. They mentioned that someone from their data protection team would reach out, but they never did. However, I'm back in, and I'm immediately creating break-glass accounts to prevent this from happening again. Thanks for the help, everyone!
6 Answers
When setting new Conditional Access Policies, always start with 'Report Only' and exclude your own admin account. It’ll give you warnings if you're about to lock yourself out! Also, consider getting a couple of cheap Yubikeys for your break-glass setup.
For sure! And don’t forget to keep those break-glass accounts safe and separate from normal operations.
You should reach out to your VAR (Value Added Reseller) who sold you the Microsoft 365 licenses.
If your licenses are handled through a CSP, they might be able to help you unlock things fast. Just be prepared for a bit of a wait with Microsoft if you’re acting solo.
Exactly what I was thinking! Too bad we don’t have a VAR because it's taking forever!
I’ve had a better experience when going through a CSP than directly with Microsoft. If you can, reach out to them!
I feel for you! A lot of us have been in your shoes. Don’t be too hard on yourself; it happens to the best of us. Just remember these hard lessons for the future!
Good luck! I've heard getting a quick response from Microsoft can be difficult. As a reminder, make sure to set up break-glass accounts soon. It might also be a good idea to create a logic app to audit your Conditional Access Policies for any exceptions and ensure regular testing.
Trust me, I’ve learned my lesson! This won’t happen again. I’m going all in on security measures!
Do you have any resources or examples for using a logic app to find exceptions? That would be super helpful!
Just a heads-up, you’re not alone! When you finally reach someone at Microsoft, they usually say it takes about three days to resolve it.
Three days? It’s usually longer—like more than a week for most! Better buckle up!
Great point! I didn’t realize that ‘Report Only’ could actually save me from potential lockouts in the future.