All admins locked out due to faulty conditional access policy. What to do?

Laukik Pandurang Tikam 46 Reputation points

All our admin accounts are locked out of microsoft services due to faulty conditional access policies. The policy was set to enforce use of Hybrid domain joined devices however we do not have any on-prem domain controller. We have our organisation operationally fully with Azure AD registered devices and Intunes managed devices. Hence none of the admin are anymore able to login to any of the microsoft portals since it is considering out Azure Registered devices are personal devices.
Also, since none of the Microsoft portals are available, we are not able to register a support ticket for this issue. Need help as to how can be we go ahead with it and reporting it to Microsoft and get it resolved at the earliest.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,372 questions
{count} vote

Accepted answer
  1. JamesTran-MSFT 36,351 Reputation points Microsoft Employee

    @Laukik Pandurang Tikam
    Thank you for your detailed post!

    When it comes to all of your Admins being locked out due to an incorrect setting in a Conditional Access policy, you'll have to:

    • Check if there are other administrators in your organization that aren't blocked yet. An administrator with access to the Azure portal can disable the policy that is impacting your sign-in.
    • If none of the administrators in your organization can update the policy, submit a support request. Microsoft support can review and upon confirmation update the Conditional Access policies that are preventing access.
      Note: If you can access your tenant with a non-Azure AD Admin - if that user has the Owner, Contributor, Support Request Contributor RBAC role, or a custom role with Microsoft.Support/*, at the subscription level, they can create a Support request.
    • If you're unable to access your tenant with any users, you'll have to reach out to our Global Customer Service phone number(s) so their team can look into your issue and potentially give you access to your tenant. Optionally, you can try reaching out to our Azure Data Protection team for further assistance - (866-807-5850).

    For future reference, I'd also recommend creating and managing an emergency access account in Azure AD, this will help prevent being accidentally locked out of your Azure Active Directory (Azure AD) organization because you can't sign in or activate another user's account as an administrator.

    Additional Links:
    What to do if you're locked out of the Azure portal?
    Troubleshooting sign-in problems with Conditional Access

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

1 additional answer

Sort by: Most helpful
  1. JimmySalian-2011 41,916 Reputation points


    Sorry to hear this, however a break glass account or exclusion should been in place before you implement CA policies also you get a recommendation when you configure CA policies, anyways for next release you can prepare in advance and save yourself from this situation. However for now you can try the global support number or contact your Microsoft Account Manager - TAM for assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.