![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 32%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETN%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Error 53003 (BlockedByConditionalAccess) indicates that Conditional Access policies are blocking sign-in. When all Global Administrators are locked out due to misconfigured Conditional Access, recovery must be handled by an administrator who still has access or by Microsoft Support (Data Protection / Tenant Recovery).
Since all Global Admins are blocked, follow this path:
- Confirm no other admin can still sign in
- Verify whether there are any other administrator accounts (including break-glass/emergency access accounts) that are not affected by the Conditional Access policy.
- If such an account exists, sign in with that account and disable or modify the misconfigured Conditional Access policy in Microsoft Entra ID.
- If no admin can access the tenant
- This is a tenant lockout scenario. Conditional Access documentation explicitly states that if no admin can update the policy, a support request must be opened so Microsoft can adjust the policies that prevent access.
- Because sign-in to the locked tenant is not possible, use one of these approaches (as shown in similar MFA lockout cases):
- Contact Microsoft Support by phone and request a service ticket for a tenant lockout / Conditional Access lockout so the case can be routed to the Data Protection / Tenant Recovery team.
- If the tenant is managed through a partner/reseller, ask the partner to open a support request on behalf of the tenant.
- Alternatively, create a separate temporary Microsoft 365 tenant (for example, via a trial subscription) and from that tenant’s admin center open a support ticket clearly stating that the issue concerns a different, existing tenant where all Global Admins are locked out by Conditional Access.
- Information to provide to Support
- State that all Global Administrators are blocked by Conditional Access (error 53003 / BlockedByConditionalAccess).
- Provide the locked tenant’s primary domain name and an affected admin UPN.
- Indicate that this is a full administrative lockout and that domain/DNS verification can be performed immediately.
- Once the case is escalated, the Data Protection / Tenant Recovery team will verify ownership and then update or disable the Conditional Access policies that are preventing access.
- Preventing future lockouts
- After access is restored, configure at least two Global Administrator accounts and dedicated emergency access (break-glass) accounts that are excluded from Conditional Access policies. These accounts are specifically recommended so that misconfigured policies do not cause tenant-wide admin lockouts.
- When designing Conditional Access policies, avoid blanket policies that apply to all admins without exclusions, and always test policies before enforcing them.
References:
- Troubleshoot sign-in problems with Conditional Access
- Require multifactor authentication for admins accessing Microsoft admin portals
- Require device compliance with Conditional Access
- Enable compliant network check with Conditional Access
- Apply Conditional Access policies to Global Secure Access internet traffic
- Apply Conditional Access policies to Private Access apps
- Preventing tenant lockouts
- Global Admin Locked out - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Azure has blocked myphone number for SMS verification due to a “bad reputation” flag - Microsoft Q&A