Tenant Lockout Due to CA Policy

Question

Tenant Lockout Due to CA Policy

Leo KAN 0

Hello,

I would like to ask whether there is any way to track or proactively contact the Data Protection Team regarding tickets related to Global Admin lockout or Conditional Access policy related talent lockout.

We have already called hotline support and created a ticket, but we have now been locked out for four to five days. The Data Protection Team did call us back and attempted to reset the MFA for the Global Admin account; however, the reset did not resolve the issue.

Based on our observations, when a new user (whether a standard user or Global Admin) does not yet have MFA configured, the sign-in flow is being redirected to the MFA registration campaign. This forces registration through Microsoft Authenticator, which is not enabled in our tenant’s authentication methods policy. As a result, users are unable to register a FIDO2 security key when no MFA method is already set up, even for newly created accounts.

The support engineer informed us that the case would be escalated and transferred, but since then we have not received any email updates or case correspondence. Communication has only been through phone calls, which makes it difficult for us to track the ticket status or follow up. We have also provided detailed information by email, but have not received any replies or confirmation. At the moment, we have no visibility into which stage the ticket is in or whether another engineer has taken ownership.

We understand that direct outreach may not be the standard support channel, but given the ongoing lockout and business impact, we would greatly appreciate any guidance on how to check the ticket status, contact the responsible team, or expedite resolution.

Thank you very much for your assistance.

VEMULA SRISAI 9,080 Reputation points Microsoft External Staff Moderator

2026-02-13T17:40:35.04+00:00
Leo KAN Thank you for sharing these detailed observations and I understand how stressful and disruptive a Global Admin / Conditional Access–related lockout can be—especially when it has been ongoing for several days without clear visibility into the case progress.

To help you further, I’d like to check the current status of your support request and verify whether the escalation to the Data Protection Team (DPT) is already in progress or awaiting additional action.

Could you please provide your Microsoft support ticket number (SR number)? Once I have that, I can review the case routing, confirm which team currently owns it, and advise you on the next steps.

In the meantime, here’s what I can confirm generally:

The Data Protection Team handles identity lockouts, Global Admin access, and Conditional Access misconfiguration scenarios, but they only communicate through the support case associated with the tenant.

Email communication delays typically occur when the case is still mid‑transfer between queues or when the engineer is waiting for confirmation from DPT.

If MFA registration is being forced through the Authenticator app even though the tenant’s authentication methods policy does not allow it, this is something the DPT/Engineering team must validate, as it may require backend correction.

Once you share the ticket number, I will be able to assist with tracking and provide more accurate guidance.

Feel free to reply here with the SR number.
Leo KAN 0 Reputation points

2026-02-14T19:08:58.6433333+00:00

Hi VEMULA SRISAI,

Thanks so much for your help. SR Number was sent through Private Message. Thanks