All Global Administrator accounts locked by Microsoft Identity Protection – no admin left to unlock tenant

Question

Hello,

All Global Administrator accounts in our Microsoft 365 Education tenant were automatically locked by Microsoft Identity Protection due to suspicious sign-in attempts.

Current situation:

• All Global Admin users are locked

No remaining admin account has sufficient privileges to unlock or reset the others

We are completely blocked from the Microsoft 365 / Azure admin portals

The lock happened suddenly (not after configuration changes or new apps)

We suspect repeated external login attempts against known admin usernames

What we already tried:

Waiting for automatic unlock (did not work)

Signing in from trusted IPs and devices

Using another admin account (also locked)

Checking Entra ID / Azure access logs (limited access)

Questions:

Has anyone experienced a situation where all Global Admins were locked at once?

What was the actual resolution (support ticket, tenant recovery, verification steps, etc.)?

Is there any recovery option without an active Global Admin, or is Microsoft Support the only path?

How can this be prevented in the future (break-glass account, username changes, policies)?

Any real experience or guidance would be appreciated.

Thank you.Hello,

All Global Administrator accounts in our Microsoft 365 Education tenant were automatically locked by Microsoft Identity Protection due to suspicious sign-in attempts.

Current situation:

All Global Admin users are locked

No remaining admin account has sufficient privileges to unlock or reset the others

We are completely blocked from the Microsoft 365 / Azure admin portals

The lock happened suddenly (not after configuration changes or new apps)

We suspect repeated external login attempts against known admin usernames

What we already tried:

Waiting for automatic unlock (did not work)

Signing in from trusted IPs and devices

Using another admin account (also locked)

Checking Entra ID / Azure access logs (limited access)

Questions:

Has anyone experienced a situation where all Global Admins were locked at once?

What was the actual resolution (support ticket, tenant recovery, verification steps, etc.)?

Is there any recovery option without an active Global Admin, or is Microsoft Support the only path?

How can this be prevented in the future (break-glass account, username changes, policies)?

Any real experience or guidance would be appreciated.

Thank you.

Answer 1

If all Global Administrator accounts in your Microsoft 365 Education tenant are locked due to Microsoft Identity Protection, the situation can be quite challenging. Here are some insights based on best practices and recommendations:

1. Recovery Options: Unfortunately, without an active Global Administrator, your recovery options are limited. The primary path for recovery in such situations is to contact Microsoft Support. They can assist in unlocking the accounts or providing alternative recovery options.
2. Break-Glass Accounts: To prevent this situation in the future, it is highly recommended to set up emergency access accounts, often referred to as "break-glass" accounts. These accounts should be assigned the Global Administrator role but not used for regular administrative tasks. They serve as a backup in case all other admin accounts become inaccessible.
3. Preventive Measures: Consider implementing policies such as requiring multifactor authentication (MFA) for all admin accounts to enhance security. Additionally, regularly review and limit the number of Global Administrators to reduce the risk of mass lockouts.
4. Monitoring and Alerts: Set up monitoring and alerts for suspicious sign-in attempts to take proactive measures before accounts get locked. This can help in identifying potential threats early.
5. Documentation and Support: If you encounter this issue, document all actions taken and communications with support for future reference. This can help in understanding the resolution process and improving your organization's response to similar incidents.

In summary, while the immediate resolution requires Microsoft Support, implementing preventive measures like break-glass accounts and MFA can help mitigate the risk of similar situations in the future.