Global admin locked out

Question

Tenant-wide Global Administrator lockout.

All Global Admin accounts are blocked due to Conditional Access policy with

Grant → Require authentication strength (Passkey).

No administrator can sign in to Microsoft 365 Admin Center, Entra ID, Azure Portal

or PowerShell, therefore we cannot open a ticket as admins.

We require backend intervention to disable Conditional Access temporarily

and remove authentication strength requirement.

Error: AADSTS53003

Answer 1

None of those suggestions work. You can't even submit a support request because you're locked out, the other suggestions are things that work in hindsight.

Answer 2

If all Global Administrator accounts are locked out due to a Conditional Access policy, the recommended steps are as follows:

1. Check for Other Admins: If there are any other administrators in your organization who are not blocked, they can disable the policy affecting your sign-in.
2. Support Request: If no admin can update the policy, you will need to submit a support request to Microsoft. They can review the situation and, after confirming, update the Conditional Access policies that are preventing access. This is crucial since you cannot access the admin portals yourself.
3. Emergency Access Accounts: It's also important to have emergency access or break-glass accounts that are excluded from Conditional Access policies to prevent such lockouts in the future. Ensure that these accounts are set up and monitored for activity.
4. Tenant Lockout Prevention: To prevent tenant lockouts, ensure that there are at least two Global Admin accounts with distinct credentials and MFA methods, and configure these accounts for emergency access.

Following these steps should help you regain access to your admin portals and resolve the lockout issue.

AI-generated content may be incorrect. Read our transparency notes for more information.