This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 27%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERN%3C/text%3E%3C/svg%3E)
I am seeking clarification regarding Microsoft’s account recovery policy. In situations where an account is compromised and the attacker changes all security details (2FA, recovery email, phone number), recovery may be denied even if the original owner can provide strong identity verification evidence. If the legitimate owner can be verified beyond reasonable doubt (e.g., billing history, purchase records, prior credentials, identity documents), is there an escalation path for human review? Is Microsoft considering enhanced verification or tiered recovery mechanisms for cases where malicious security changes prevent automated recovery? Thank you for any clarification on this matter.
Additional Microsoft Defender tools and services that provide security across various platforms and environments
I think that once an attacker swaps every auth factor, the acct drops into a backend‑locked state support can’t write to ....the only thing u can still try is running the recovery form with the exact old signals (old mail, old phone, old pw) wish I had a better fix, sorry.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 69%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Rares Nita,
I can only provide anecdotal information based on many threads in these forums, since other than the official recovery form, comments those contain, or other official pathways, I know of no official policy in regard to this situation other than what those reaching Microsoft Support have learned.
To put it bluntly, the combination of modified security information you've described makes it impossible for anyone in Microsoft Support to return an account to anyone else, since they're not only unable to send password resets, but also make the changes that might be required to do this, especially since once the primary account alias has been changed and deleted, it can't be recreated or re-used to prevent future fraudulent use of that same address.
From what I've managed to gather, even once someone manages to actually reach Microsoft Support directly, which is rare, the best that can happen is the account may be identified as having originally belonged to that person, but then due to the verification changes, this information is automatically passed to another group within Microsoft who will only fully disable the account, turn off any recurring billing and perform whatever other items are required to 'mothball' the account before permanently locking it.
Having read so many of these threads the last few years, I've had some realizations that may help explain this relatively quick evolution from a once relatively easy set of Support-based reset policies to the totally unforgiving set of automated operations that exist today.
The first is simple and obvious, the cyber-security environment we live in today is completely unlike that just a decade ago, with multiple regional or global wars, including economic, triggering massive and constant attacks against even personal accounts to monetize the theft of games, payment methods, and even the reputation the account itself contains. That has led both criminal gangs and rogue nation states needing cash to set up highly capable bot networks attempting to steal accounts at scale.
Over time, the ability for Microsoft Support personnel to change account security was removed, which I'm sure was in no small part to avoid placing these people in the position to have to confirm the requestor's identity, which I'm quite sure had failed on at least some measurable basis and which would only increase as time went on.
Considering the number of individuals posting that their existing verification methods like phone numbers or alternate emails either were incorrect due to changes or simply didn't exist, I would think that Microsoft finally gave up on trying to support those who wouldn't even try to maintain these, especially since I can recall being regularly asked myself whether these alternate verification methods were current.
I'm also quite certain that even once some early account thefts were reversed, they just as quickly were reversed by the thieves again, since these operations are many times as knowledgeable as any consumer, or in some cases, the consumer simply made a similar mistake and lost the account again, which Microsoft would have known via Support records.
Combine all of the above with the fact that Microsoft was already moving to an AI Support model and the reason that rigid, seemingly unfriendly, account recovery policies are now the norm seem rather obvious.
I can't say which of my various guesses above might be correct since I'm not an employee and thus have no access to such data, but I don't think any of them are really too much of a stretch.
Microsoft rarely states these sorts of things publicly, since their focus is on trying to change the systems themselves to compensate whenever possible, but with the heightened level and complexity of attacks, that's become increasingly difficult to keep up with.
My personal opinion is that the support burden for recovering accounts had grown too large to justify probably years ago, and that combined with the accelerating attacks over the last decade or so, Microsoft simply views the loss of such personal accounts as something that would have likely continued, so locking the account permanently means the customer must reopen a new account, purchase any apps like games or Microsoft 365 and hopefully that's sufficient to get them to learn the basic rules of security, which have significantly changed when setting up a Windows 11 system with Windows Hello PIN and passkeys, and a new Microsoft account today.
Remember, it wasn't actually the account that was 'hacked', which is a useless term, it was the user who was phished, tricked or attacked using malware, infostealer, or possibly via a bot running often relatively guessable passwords against their account, which is still the user's creation, that leads to the loss of an account.
Rob
Microsoft Entra ID Account Recovery is designed to address scenarios where users lose access to all registered authentication methods, including cases of account compromise. However, the automated recovery process may not allow for recovery if the attacker has changed all security details, such as two-factor authentication (2FA), recovery email, and phone number. In such situations, the focus is on identity verification through trusted providers and advanced identity verification technologies.
Currently, the account recovery process does not explicitly mention an escalation path for human review in cases where the legitimate owner can provide strong identity verification evidence after a compromise. The system is primarily automated to ensure security and reduce the risk of social engineering attacks. However, Microsoft may consider enhancements to the recovery process in the future, including tiered recovery mechanisms or additional verification options, as they continue to evolve their security measures.
For the most accurate and updated information, it is advisable to consult Microsoft Support or their official documentation regarding account recovery policies and any potential changes to the verification process.
References: