Need Help: All M365 Global Admin locked out after hack - Microsoft support has provided no comment / communication in 24h+
Posted by TECHN0B@reddit | sysadmin | View on Reddit | 155 comments
I need urgent help. I along with other admins have been locked out of our Microsoft 365 tenant for 24 hours now and Microsoft support has completely failed me.
Here's what happened:
- A tenant was hacked yesterday (he had turned his own MFA off somehow..)
- An admin re-enabled MFA / Conditional Access policy forcing users to use and join requiring domain-joined devices to sign in.
- I double checked all my devices are domain joined. They were so agreed to let the admin apply the MFA applied the above.
- This locked me out as as well as the other 2 Global Administrators
What I have tried:
- Called Microsoft 80+ times (mind numbing)
- Automated system forces me to website -> Website requires login -> locked out so thats useless
- Figured out how to game AI phone to get through to Agent.
- Submitted support ticket 24+hrs ago
- Just submitted a new ticket as maybe the engineer cant figure out how to opperate a phone.
- Zero contact across alt 5 email addresses and 3 phone numbers. I have no missed calls, no emails in spam, junk, across 4 outlook/hotmail/gmail domains..
- dsregcmd /join - fails
- Registry keys CDJ and WorkplaceJoin both not working
- Azure CLI install attempted - failed
- Mobile app login - fails
- All browser workarounds - fails
- I have made an alternative Azure email, with the temp Biz trial to try and get support faster, this has also yielded nothing.
I am based in Japan. My business is completely dead for 24 hours. My Account was supposed to be the breakglass account but evidently not.
We own our MSOFT outright so not thru a provider.
Does anyone have a direct Microsoft escalation contact, MVP contact, or any way to get this CA policy disabled from outside the tenant? I am desperate. Any help appreciated. Thank you.
Relative_Test5911@reddit
When you get your tenant back you need to do one (all) of the following
1. Setup an actual back door account: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access
2. Hire someone in your company who knows how to manage Microsoft tenant. (You should be able sell this now).
3. Get a middle 3rd party who have access directly to MS and can restore you tenant.
cluberti@reddit
If they use an MSP partner, they can give that partner lighthouse access to their tenant. It is good for day-to-day management by the amSP, but also helps in this exact scenario. Also, if this tenant is business-critical and an org is going to manage their tenant themselves, pay for a Unified support agreement with MS to get a CSAM and an Incident Manager who can help manage and escalate stuff like this. They can’t fix support quality, unfortunately, but they can get things moving through support when they aren’t. That can be expensive, though, so a lighthouse MSP (if they’re good) might be the better option in that case.
Febre@reddit
“My account was supposed to be the breakglass account”
My brother in tech.. wut?
Hollow3ddd@reddit
I can see this happening. Test it quarterly. You have a few hands in the pot, mistakes can happen through CA policies very easily.
Security admin is a hell of a role
1RandomUsernameAgain@reddit
He used chatgpt to setup conditional access policies and made his account member of the Breakglass group (no CA policy applies to it)
StatementNext682@reddit
Isn't this how it's done? I worked for an MSP and they did this.
Ur-Best-Friend@reddit
"Breakglass accounts" should function like the name implies. They're only there in case of emergencies where nothing else works. If you've got a key in a "break glass in case of emergencies" box, you're not breaking the glass every day to lock and unlock your house.
My current place of work has this account with a \~25-character random password written in an envelope and stored in a safe, it hasn't been used since it was set up.
darkytoo2@reddit
Does that seem like a good practice to setup an account like that, then never test it? Hopefully you have MFA configured on that since it's required now...
Ur-Best-Friend@reddit
Nope, which is why we do test it. I already went over this in another reply. We test it but we haven't ever had to use it outside of that.
It is not required on an on-prem AD account.
darkytoo2@reddit
Sorry, I didn't read every reply. Of the customers I deal with, 25% have it correctly configured, 25% have nothing and may not even know what a break glass is, and the other 50% have it configured, but have either never tested it, or missed all the new MFA requirements or have never tested it.
Not sure if you are m365, but if you have defender for Identity, I recommend putting the on prem break glass in your honey token accounts too.
Ur-Best-Friend@reddit
Totally understandable, and tbh this is the first place I've worked so far that's remotely close to having a well secured environment (still plenty of room for improvement, but that's pretty much universally true).
My last employer was on a Windows 2008 DC with every old employee and every long gone PC still active in AD, including ones with a "password never expires" attribute and made long before complexity requirements were turned on. I never tested it, but I wonder how many of them had a password of "1234".
MelonOfFury@reddit
I hope you have a yubikey or something stashed in that envelope too because even break glass accounts require MFA in the admin portals now.
Ur-Best-Friend@reddit
Well, not for on-prem AD!
YellowF3v3r@reddit
It can if you secure them with MFA via DUO or something else.
Ur-Best-Friend@reddit
You absolutely can, I was only saying they're not required. We do have MFA for all accounts with elevated access rights, but on-prem AD MFA tool integration can be surprisingly finnicky and prone to randomly breaking, which is a situation we have experienced before and are not eager to repeat. Hence, no MFA on the breakglass accounts.
WearinMyCosbySweater@reddit
Similar, but it's a yubikey in a safe
TheDarthSnarf@reddit
Never have just one Yubikey. They do fail.
iama_bad_person@reddit
We have 3, at mine, my bosses and the GM's house.
f0gax@reddit
Why not both?
TheFumingatzor@reddit
I hope you will never need to use it. Since you are not testing and auditing it.
Ur-Best-Friend@reddit
We do yearly AD audits and test the account periodically as well. I don't know the exact schedule because it's not my responsiblity, but I could check our documentation if you're really curious. We also do it whenever we make significant changes to our environment like upgrading the domain controller VMs.
I said we don't use it. I didn't say we don't test it. If I say "I have an old 1978 Mercedes, but I don't actually drive it", that doesn't mean I don't have it serviced periodically.
TheFumingatzor@reddit
Then you do use it, if you test it. You can only test it, if you actually use it, to see if it actually does work as intended.
Ur-Best-Friend@reddit
So in the hypothetical example I've given - you would say I do drive a 1978 Mercedes? Even if the total mileage for the past 10 years is like 20km? If I scan my Adobe CC installation folder, does that count as me using Photoshop? I tested that it's safe, after all.
Ultimately this is just a semantic argument on what counts as use and what doesn't, and semantics are boring. I'm totally fine if you want to classify what I said as "use", in which case what I meant was "we haven't used it beyond periodic testing to make sure everything functions correctly." It hasn't been used to actually do regular work with is what I tried to get across with my comment, which I think was fairly obvious.
NoPossibility4178@reddit
It's completely irrelevant if it's used every day or not as long as it's setup correctly (i.e. actually bypasses security).
Ur-Best-Friend@reddit
You're telling me it's irrelevant whether you use accounts that "bypass security" on a regular basis? In other words, multifactor authentication is irrelevant?
NoPossibility4178@reddit
You're just intentionally (or not) reading past what I said. The account was poorly setup. It's irrelevant if it's used every day or not, that contributes 0 to the fact that OP got locked out, there's isn't a usage limit and then the account is like "oh you actually need to break the glass now but have been doing it every day? guess I'll just not work."
Ur-Best-Friend@reddit
Nothing about my comment was a response to OP in this post - it was a response to the person who worked for an MSP that used brekglass accounts incorrectly.
If you (intentionally or not) respond to me with nonsense that isn't even related to the post of the person I was addressing, don't expect me to magically know that's what you're doing.
Where exactly did I claim it did again?
NoPossibility4178@reddit
You were replying to someone asking how a break the glass account should be from a technical level and you go on about how they aren't meant to be used every day, that has 0 relevance to the technical aspect.
Literally your first paragraph of your comment is going on about how they are being used incorrectly, not implemented incorrectly. In fact your entire comment was completely irrelevant. Your 25 character piece of paper in an envelope in a safe is completely irrelevant to someone asking if a break the glass account should follow conditional policies or not.
But maybe you replied to the wrong person, in that case sorry for the rant.
Ur-Best-Friend@reddit
Read the comments again. This was the sequence:
Everyone seemed to understand this just fine, except you, for some reason. Whether or not you should add your own user account to a particular security group is both a question of implementation (is it smart to add the account to the group), as well as use (is it smart to use an accout that's a member of a particular user group as your daily user account).
Stop trying to move the goalpost. Can you quote the part where I said that using the account incorrectly contributed to OP getting locked out? What is the problem with me talking about how a particular type of account should be used?
Read the thread again. Arguing with you over you not having reading comprehension is getting tiring, and I'm done trying.
spacejam_@reddit
Worth testing it. No point getting to where you need it and realising it doesn't work as intended.
winky9827@reddit
Indeed. Better still, set up log alerts to fire off when the account is used so everyone knows it.
Ur-Best-Friend@reddit
Absolutely - that's part of "setting it up". But you shouldn't be using an account without MFA protection on a regular basis or you might as well just remove MFA from all your accounts.
BlackV@reddit
Er... You should be testing (and auditing) that account
Cooleb09@reddit
Breakglass account should be separate to normal admin accounts.
StatementNext682@reddit
Understood, I must've just been interpreting this whole conversation up to now.
davy_crockett_slayer@reddit
I mean, you’re supposed to do that. You also need MFA enabled and access to the account monitored.
Fritzo2162@reddit
Yeah, I spit my drink out too. A break glass account is the account with all the keys that is buried somewhere and never used. Dude was using the fire alarm as his alarm clock.
TECHN0B@reddit (OP)
Brother its a small company this was set up by some engineer a while ago, i am a portfolio manager, we about 5 people, so they used my acc as the break glass :).. no clue hence why im hear asking for help.
Ur-Best-Friend@reddit
You need someone at least somewhat competent in charge of your IT, or this type of stuff will keep happening to you.
I don't mean any offense with that, but this is like saying you store the passcode for a safe in your local pub with paper instructions on where to find the safe, how much money is inside it, and what time of day no one is there to protect it.
ncc74656m@reddit
Don't forget the code with the directions as to which way the wheel should spin.
champagneofwizards@reddit
If it’s your daily driver then it is not a break glass account.
Mindless_Consumer@reddit
Broke glass account
Patient-Stuff-2155@reddit
next step is broke ass bank account
jon_tech9@reddit
Please forgive me for laughing
Mrhiddenlotus@reddit
No you see its a sleeper agent break glass
Unnamed-3891@reddit
So there was no actual breakglass account and your regular account is likely how they got in. Congratulations. Maybe ise actual breakglass accounts next time.
StatementNext682@reddit
Is there a problem with breakglass accounts?
wazza_the_rockdog@reddit
No problem with break glass accounts if they're set up correctly - a break glass account should not have any conditional access policies applied to it, and definitely shouldn't be someones regular account. Sounds like OPs company doesn't realise that you can have admin accounts in m365 without a license.
FellOverOuch@reddit
No, this just isn't how you use one
ke-thegeekrider@reddit
Be kind 😁
BenWavyyy@reddit
Maybe you could call an distributor to create an ticket with much more urgency
OkVeterinarian2477@reddit
You own the domain. Setup Google Workspace and redirect emails there so atleast your emails start working. This allows SOME work to resume and users have access to offline outlooks so existing emails contacts etc are accessible. Assuming you backup SharePoint data you can restore it elsewhere.
This will give you time to work on Microsoft side of things. Hope someone at Microsoft helps you with this or go to a CSP because that provides another way to MS support.
deeclause@reddit
Always exclude the breakglass account from new CA policies until you test. Lesson learned. Also, please use the what if tool
igiveupmakinganame@reddit
doesn’t your device have to be not only recognized as a corporate device, but compliant? maybe it’s not compliant?
Top_Floor6422@reddit
Technically, the breakglass account is only accessible if the account is not completely-assed-out.
Top_Floor6422@reddit
Microsoft support is some of the worst in the world, my account was down, i have had a ticket open for over a week, they emailed me three times to confirm my phone number which I confimed three times, no phone call. Despite his office hours being on right now, the person on the phone informed me they were offline, and then pretended not to be able to hear me over and over and hung up. Never called me back, never got the IT phone calls they promised. I would love some recos of some alternatives.
robotbeatrally@reddit
last time i needed them it took like 3 weeks. granted it was not nearly so urgent of an issue but it was something impacting like 3 people from working which is not a small deal either
Patient-Stuff-2155@reddit
It is insane to me that some people here seem to think that having no MFA on breakglass global admin account is a completely normal thing, or using it for regular admin tasks.
The whole point of breakglass is to be the in-case-of-emergency admin if actual admins get locked out or the only existing admin gets hit by a car or disappears without a trace etc.. Its only job is to let real admins regain access or appoint a new admin when one is not available.
cdoublejj@reddit
wouldn't a break glass account be tied to yubi key in a fire resistant safe somewhere?
Patient-Stuff-2155@reddit
yes, that is the phishing resistant MFA method recommended for breakglass accounts. physical security key and disaster recovery instructions
Unnamed-3891@reddit
in-case-of-emergency… such as MFA not functioning or cond access policies going haywire. OF COURSE the breakglass does not have MFA on it.
Patient-Stuff-2155@reddit
you obviously haven't visited the CA config page in years if you think this is the case. all admin accounts are forced to have MFA, there was a huge notification banner about it for a long ass time before it was forced, and any security conscious admin would have had it already set up from the beginning anyway. look into the phishing resistant MFA option.
The reason global admin MFA went haywire in the first place is probably because it wasn't set up correctly and was locked out once it was a requirement, OR the account with global admin privileges got hacked because it didn't have MFA.
If the account with the power to disable everyone else's MFA and take down the whole tenant doesn't require it, then there is no point to enable MFA at all.
fuzzyfrank@reddit
Isn't this a Microsoft-managed CA policy? You can exclude identities from it (like your breakglass) if you wanted,
Patient-Stuff-2155@reddit
it was optional for a while and enforcement started gradually. I can't tell you how it actually affected those that didn't have it, since I believe that most admins had it enabled for themselves anyway and probably just forgot about the breakglass accounts they set up many years ago without it.
https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication
redwing88@reddit
Here is how to get your email flowing again:
Go to Spamhero and setup an instance of your broken domain so mail starts spooling and isn’t lost
Spin up a new tenant on a similar domain of your company who’s DNS you control so if your domain is company.com, buy/setup company.net. Setup a new 365 tenant with the cheapest exchange licenses and add the new domain to it and create the users and passwords.
Setup spamhero to do account translation basically it will “forward” email addressed to user@company.com and forward it to user@company.net and it’ll land in your temporary 365 tenant and your users can respond.
It will preserve the from, to, cc and bcc however when you reply it’ll use the new domain which is fine, notify your clients of this temporary measure as legitimate.
Feel free to dm if you need additional guidance
dzpowers@reddit
Excellent advice
AnotherTiredDad@reddit
OP, this is good advice assuming you still have access to your dns.
Do it sooner than later and make sure your contact info isn’t tied to your original domain ASAP.
If you lose your dns, it’s game over. Do it NOW.
FearlessSalamander31@reddit
This will not be settled over a ten minute phone call; this usually takes weeks of identity validation through DNS, business license, and credit card transactions. Your only hope is the Microsoft Data Protection Team.
FearlessSalamander31@reddit
Red Flags of note:
The "Personal" Break-Glass: Having an ordinary user account as your fall back method for getting in.
The MFA Trap: Not having a "phishing resistant" or "policy exempt" key fob that is locked up safely.
TECHN0B@reddit (OP)
Agreed on the above, will either go through a retailer after this sub ends or migrate to proton.
Will look at implementing those once access is granted thank you.
kirashi3@reddit
Migrate to Proton? As in, ProtonMail? For business use? Sure, but that won't solve the root cause of what happened here. In fact, if you lose access to your stuff hosted on ProtonMail, it's likely gone for good, as in nobody can help you recover at all.
dedXlights@reddit
They have mfa issues and now want to complicate things by trying to have custom domains.
TECHN0B@reddit (OP)
Lol not a now thing. Realize its an internal eff up, but not happy with the support either from Msoft so thinking out loud on the above.
cdoublejj@reddit
yeah MS in on the down trend and has poor support.
dedXlights@reddit
I see you are in Europe. Please be mindful of GDPR.
disposeable1200@reddit
Why is Japan in Europe?
cdoublejj@reddit
if you migrate to Proton i'd like to hear how it goes. i imagine they are trending up right now.
thortgot@reddit
Going through a retailer would not have solved your problem in the least. Migrating to Protonmail doesn't solve your problem.
You need competent IT management either use an MSP or hire someone.
Rubenel@reddit
I am happy to see these posts. It gives us all credibility when we lock ourselves out of M365 and the CEO asks ChatGippity if this is a common issue. After scraping the inter-webz, ChatGippity reports YES! and the CEO calms down.
Brandhor@reddit
it's ridiculous how most people here are dissing and saying to use a break glass account instead of actually being helpful
imagine you fall while skating without wearing any protections and you break half your bones, you call an ambulance and when they arrive they ask you were is your helmet and then they leave you on the street
Cykablast3r@reddit
Well no, r/sysadmin isn't the ambulance in this scenario, Microsoft support is. Ambulance has already been called, so it's perfectly reasonable for bystanders to say "probably should have worn a fuckin' helmet" while waiting.
Frothyleet@reddit
Or like the analogy is if someone's like "omg bystanders please help why do I have brain injury, I made a DIY helmet at home" and we're like dawg you don't have the expertise to make your own helmet, you need to outsource to a professional, and it sucks but you're just stuck waiting for the doctors to fix your brain
ReputationNo8889@reddit
Whats there to be helpfull about? They lost tenant access and are at the whim of Microsofts support? Only thing you can do is provide a number to call, that has happend already.
Brandhor@reddit
sure but it's not the first time people in this subreddit act this way
we all make mistakes and saying you fucked up and should have done this instead is not really helpful
Kumorigoe@reddit
This is the second post I've seen in less than a week where a small team got locked out of their tenant and didn't have a proper break-glass account set up. And of course the OP "isn't a tech engineer", so doesn't understand why they're in the situation they're in.
I honestly think there's a large group of businesses out there treating an Azure tenant like any other subscription and not understanding the importance of having it set up and configured by people that know what they are doing.
As to your example of ice skating, a more apt way to put it would be, "the instructor told you in no uncertain terms that you needed to wear protection or you risked serious injury, and you said you didn't need them and to buzz off". Because believe me, when you're setting up a tenant and your GA accounts, there is a big-ass warning about making damn sure you have a break-glass account to prevent this exact scenario. And you get effectively the same warning when setting up Conditional Access.
ReputationNo8889@reddit
I would argue it is, because a fuck up of this magnitude should not be treated lightly. Someone withouth experience decided to mess with CA and locked themselved out? Even Microsoft says "Make sure to not lock yourself out" thats what audit mode is for. So if one skips all the safeguards i find it reasonable to say "you should have done that instead". This might not help right now but will help for future fuck ups.
Top_Floor6422@reddit
Ohh gosh I thought this was just me....I have been trying to get someone on the phone. I finally did and she pretended she could not hear me, told me my IT person was offline, then pretended she could not hear me three or four times and hung up on me.
lavoy1337@reddit
Thought this was r/shittysysadmin for a second there
eejjkk@reddit
Just use your "Break Glass" account that has Security and CAP policies applied/not applied to it to circumvent this scenario?
dogpupkus@reddit
So what’s the best practice on this? I seem to think that I want my break glass to have zero MFA/FIDO2/CAP, but a super complex password and a trove of detections built around its use- simply for scenarios like this. However I’d hate to have a TA exploit this weakness.
teriaavibes@reddit
Not possible, you need MFA.
dogpupkus@reddit
Where does that challenge go? e.g. if Authenticator is used, or let’s say SMS, who receives the push?
teriaavibes@reddit
The person who owns the method that was registered?
Not sure I understand the question, it works exactly the same as with any other account.
dogpupkus@reddit
My interpretation of a break glass account is an individual account, something that no one owns, is never used and is always enabled but dormant. In an emergency that requires break glass, a password is obtained from its secure location, with a detection upon said password access, where it can be logged into by any number of privileged users who otherwise have zero tenant access, which would trigger additional detections.
As such, it would be silly to have the MFA go as to an individual admin, as any number of admins may need to use it in an emergency.
In reflection, I see FIDO2 as the only effective method here, such as a Yubi, with the token being available in an all admins accessible location (eg vault in a DC, etc.)
DragonspeedTheB@reddit
What would you do in a Global company?
dogpupkus@reddit
I think it depends. Where are your Cloud Engineers / Privileged Infrastructure team located? Do you have more than one tenant, or is everything consolidated into one Entra ID tenant?
DragonspeedTheB@reddit
In three different continents to cover the time zones. No point in having them in one continent only.
dogpupkus@reddit
Here is what I would do:
Per tenant, you have one break glass account. It needs an incredibly complex and long password. To prevent usage of the break glass account and keeping it phishing/compromise resistant (preventing cached password hashes or session theft) each account should have its password stored in its respective global office only where there are Azure Global Administrators. Ideally in an access controlled location that is always, but only available, to said Global Administrators. (e.g. a small vault in the data-center and only the Global Administrators know the code.)
e.g. You don't need the EMEA password stored in Americas. EMEA Global Admins need the break glass account for their own tenant however, and their own tenant only.
Each location where a password is stored should have TWO YubiKeys associated with the account for MFA that are also stored in this vault. (A primary, and a backup YubiKey.) This form of MFA prevents a challenge going to a single individual which would otherwise create a bottleneck/single person risk (what if that person is on vacation, or out to lunch and has no idea what is going on, and time is of the essence?)
Anyone with the YubiKey can complete the MFA challenge, and if you have the password, you have the YubiKey. The goal is to keep this as accessible as possible but only to authorized users.
The break glass account should be setup like a canary account, with a multitude of alerts that trigger upon it performing any interactive or non-interactive activity, e.g. logins. These alerts should go globally to all tenant Global Admins. While alerts are reactionary, you'd have a few minutes to make a decision on whether its use is legitimate.
DragonspeedTheB@reddit
OK - and I guess since it’s a single Global tenant, you basically set up 3 break glass accounts… one for each region so that if the brown goo hits the fan at any time, it SHOULD be resolvable.
dogpupkus@reddit
One could argue, and perhaps debate, whether three regional break glass accounts are appropriate.
Perhaps in a single large global tenant, one break glass may suffice, with its password distributed securely to each region that has global admins.
Likely a bigger question here: Which region is ultimately responsible for disaster recovery and who take the lead? What do those BCP/DR plans say? It may be the time when the disaster happens, so folks on the East Coast USA are not scrambling to figure things out at 2AM their time.
Otherwise, I foresee a lot of disorganized decision making and 'toe-stepping' that could drastically complicate recovery.
RCTID1975@reddit
IMO, that yubi shouldn't be accessible by all admins.
This should be a documented process in your disaster recovery documentation, and that key stored with that document.
The only people that have access to that are the DR team.
teriaavibes@reddit
Yup, your logic makes sense here.
But that doesn't prevent you from just registering it to your phone number or phone authenticator app. Stupid idea but wouldn't be my first time seeing it.
Master-IT-All@reddit
FIDO or cert, nothing else is generally considered acceptable for phishing resistance.
SMS is not acceptable for anyone for MFA, Microsoft Authenticator is the minimum acceptable and even that isn't acceptable for serious security as it is not phishing resistant.
Patient-Stuff-2155@reddit
ours is a specific breakglass account tied to a physical security key login, locked in the company safe with instructions, not tied to a real user.
dogpupkus@reddit
Of course, I was being hypothetical. I’m 100% number-matching Authenticator.
khaos4k@reddit
Best practices is to use FIDO2 on your break glass accounts and put them in their own phishing resistant policy. Then exclude them from all the other policies.
eejjkk@reddit
100% correct
iamLisppy@reddit
Ya my understanding of a break glass was you dont want MFA on it but everything else you mentioned. I would love to be told why that is wrong to better my own understanding.
teriaavibes@reddit
Your understanding is wrong, most admin portals now require MFA on sign in so if you have break the glass without MFA, you don't have a break the glass.
eejjkk@reddit
100% correct
TECHN0B@reddit (OP)
So they designated my account as a break glass, though i am not a tech engineer, and the admins still applied this policy yet my account is useless so, needless to say im not happy :) but yeh it should have been configured like you said.
eejjkk@reddit
Break Glass accounts aren’t associated to an actual user account intentionally and by design.
TECHN0B@reddit (OP)
Yep will make a new one after all this settles with the info above, you guys have been insightful thank you.
Alaknar@reddit
When setting up a new BG account, set it up with some stupidly long password (like 128+ characters), and set up three YubiKeys for it. One goes to the CEO, one goes to whoever is the head of IT, one goes in a safe where the C-suite and maybe IT has access.
Set up alerting for whenever the account is used.
Ensure the account is excluded from your CA policies so it cannot be locked out for whatever reason.
ReputationNo8889@reddit
Make sure to also have the password stored somewhere you can get in without Microsoft Account Login. Seen a couple incidents where someone stored that password in a password manager and then could not access it to get the BG Password
The-IT_MD@reddit
Sysadmins like this keep MSPs in business. 😅
blotditto@reddit
Until they realized how fucked up and disorganized most MSP's are! LOL
The-IT_MD@reddit
That’s true and those MSP help me too!
blotditto@reddit
Same here! Haha
an_anonymous-person3@reddit
The breakglass account should be separate. That is the point. In my current org, if we use it, every admin gets an email with detailed info of the login using that account.
envyminnesota@reddit
Not sure what to tell you… when you create a CA policy it tells you to do xyz to avoid locking yourselves out. Even in the require domain joined device, I’ve seen mine say it’s not when using an in private browser when it is. If you haven’t tried all the browsers, an not incognito/in private it’s worth a shot. What are you actually seeing in failed sign in logs for CA reason?
HankMardukasNY@reddit
So many things wrong here. Anyway, you need to talk to the data protection team at 1-866-807-5850. It will most likely take several weeks to get back in
TECHN0B@reddit (OP)
I know im not a tech person, i manage accounts, small team. Thank you for the number, i have spoken with them but thru patching of 1-877-696-7676 or 1-800-865-9408 number .
Grantsdale@reddit
So now that you know you don’t know what you’re doing, you should probably hire a provider that does.
TECHN0B@reddit (OP)
Agreed on that.
PsychoGoatSlapper@reddit
Props for the humility
wonderwall879@reddit
seriously props to him. Takes a lot to admit you need to hire someone. The GUI 0365 administration provides trick people into thinking they'll be fine managing it themselves. Especially if the company is small.
Rough way to find out. This kind of thing can kill a business.
ncc74656m@reddit
I think also there was just the whole "Someone told me this is how it should work" deal, and since they're not in tech, this isn't really on them. Very few people know what they don't know, and that number seems to be expanding at a pace equivalent to the universe's expansion from the Big Bang.
Broad-Celebration-@reddit
I had to help a client navigate this process recently and it only took around 72 hours from start to finish. I was pleasantly surprised.
ncc74656m@reddit
That's a relief to know for when my Executive Director orders me to shut off the last of our security and it does exactly what I'm telling them it will do. 😅 Hopefully that's 72 business hours cause I ain't doing it on my time.
Much_Mention8165@reddit
"If you are the only global admin on the account and are blocked entirely, you can reach out to the Azure / 365 Data Protection team to restore access. 866-807-5850 (number reported to be out of service on Feb 5, 2026)"
https://learn.microsoft.com/en-us/answers/questions/1396131/data-protection-team-support-contact
Much_Mention8165@reddit
additional, in the official guide the number is still in place
https://learn.microsoft.com/en-us/partner-center/account-settings/unable-to-sign-in
RCG73@reddit
Data protection team and two weeks. Alternatively are you using a distributor ? Sherweb rivervalley. Etc. if so they would have gdap and can assist If your direct your waiting on Microsoft
techtornado@reddit
Data protection took a little over a day to recover one of our accounts
RCG73@reddit
It’s at the whim and timing of whomever you get assigned and how bad their work load is. You may get real lucky or may not. I’ve somehow got stuck with doing 3 of these already this year. Been great for proving to small companies that no you shouldn’t just have your cousin do your IT.
biorobot_@reddit
From the post I do not understand how he got locked out. Can someone explain to me please? Like what was done wrong?
RCTID1975@reddit
They created a conditional access policy that wasn't setup correctly and it's blocking them from authenticating.
When you create a CA policy, there's a big popup warning you to make sure you don't do this very thing.
Correct_Switch_8139@reddit
Then it should be an error instead of a warning to prevent this from happening? Is there a use case that this does want to proceed?
gamayogi@reddit
There's atleast one person a month on here who has this happen to them. You'd think people would learn.
brainstormer77@reddit
A few things wrong here
You have to rely on Microsoft support, they take forever but keep trying.
TheFumingatzor@reddit
Bruh...
BlackV@reddit
Microsoft controls the system, you have to talk to them
wey0402@reddit
This does not help correct?
https://learn.microsoft.com/en-us/microsoft-365/admin/misc/become-the-admin?view=o365-worldwide
BornToReboot@reddit
Prepare official documentation proving legal ownership of the domain, as Microsoft will require this to verify that you are the rightful owner.
geegol@reddit
How many GA’s total including break glass accounts were there in the tenant?
Plenty-Piccolo-4196@reddit
Hahaha, I'm sorry. These techs should be fired
DL05@reddit
While you wait, lookup what a glass break account is.
crackdepirate@reddit
our job as MSP has more value when someone is in deep shit. sadly.
beren0073@reddit
Best of luck with your recovery. If you get through it, please consider hiring a MSP to manage your tenant going forward.
topher358@reddit
Do you have any CSP relationships?
TECHN0B@reddit (OP)
nope billed directly too us, OG owner went online and bought himself.
sivanandu_itops@reddit
This looks like a Conditional Access/MFA lockout scenario.
Try checking if you have any break-glass account without MFA enabled. Also see if you can access Azure via PowerShell or any previously authenticated session to disable CA policies.
In some cases, Microsoft support escalation via partner or enterprise support works faster. If not, you may need to request emergency access through Microsoft security team.
This is critical, hope you get access soon.
sivanandu_itops@reddit
This looks critical. Try checking admin recovery options and audit logs. Also verify if any security policies or recent changes caused the lockout.
Sillent_Screams@reddit
you need a Microsoft rep in future.
XxQuaDxX@reddit
Try Twitter. @ Them or DM
https://twitter.com/AzureSupport