![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 77%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC6%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 31%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Because the Conditional Access change has locked out all admins and users, recovery must go through Microsoft support; there’s no self-service fix once no admin can sign in.
Use these steps to move things forward as quickly as possible:
- Confirm there is truly no unblocked admin account
- If there is any other Global Administrator or emergency/break-glass account that can still sign in, that admin can disable or edit the blocking Conditional Access policy directly.
- Guidance: another admin with access can disable the policy that’s affecting sign-in. If such an admin exists, have them sign in to the Microsoft Entra admin center and turn off or scope down the problematic policy.
- If no admin can sign in – rely on Microsoft support
When all admins are blocked, Microsoft must intervene on the tenant:- Open or continue the existing support request as a tenant lockout / Conditional Access lockout case.
- Use the documented path to submit a support request for Conditional Access lockout: submit a support request.
- For Microsoft 365 business tenants, use the regional phone numbers listed here: Find Microsoft 365 for business support phone numbers by country or region.
- Escalate the severity correctly
From the context, Microsoft treats full tenant lockout as a data-protection / access issue that must be handled by support teams (Data Protection / Microsoft 365 support). To help get the right severity and routing when you call or update the ticket:- Clearly state:
- All Global Administrators are locked out.
- All users are locked out of Microsoft 365 (business down).
- The cause is a Conditional Access policy that blocks all sign-ins.
- Ask explicitly for escalation as a tenant lockout / administrator lockout and to involve the Microsoft 365 Data Protection team or equivalent escalation team.
- Reference that Microsoft support can, after verification, update Conditional Access policies that prevent access.
- Clearly state:
- While waiting on support
- Do not create additional conflicting tickets; the guidance is to avoid multiple assistance requests while a tenant-access case is in progress.
- Ensure someone who can answer verification questions and provide business documentation is available when support calls back (they will need to validate tenant ownership and identity before changing policies).
- After recovery – prevent future lockouts
Once access is restored, implement the recommended protections:- Create at least two cloud-only emergency access (break-glass) accounts with Global Administrator, excluded from all Conditional Access policies.
- Ensure at least two Global Admin accounts with different credentials and MFA methods.
- Review Conditional Access policy design: avoid blanket policies that apply to all admins; always exclude break-glass accounts and test policies before broad deployment.
- Configure and document Self-Service Password Reset (SSPR) and recovery procedures for admins.
These steps do not bypass Microsoft; they align with the documented process where Microsoft support, after verification, can adjust Conditional Access when no admin remains able to sign in.
References: