![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 57.00000000000001%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Immediate recovery of a fully compromised Microsoft 365 tenant with no remaining Global Administrator access cannot be performed by standard admin or self-service tools. When all legitimate admin roles are removed and security info is changed, recovery must go through Microsoft’s official account-compromise and account-recovery processes.
Follow these steps from a safe, malware-free device and network:
- For any affected individual Microsoft accounts (personal accounts used as sign-in IDs or break-glass accounts), follow the hacked/compromised Microsoft account recovery flow and guidance in:
- "How to recover a hacked or compromised Microsoft account" – including:
- Step 1: Clear devices of malware first using an up-to-date antivirus (for Windows 10/11 or 8.1, enable and run Windows Defender for a full scan).
- Step 2: Change or reset passwords using the official reset flow.
- Step 3: Review account settings such as connected accounts, forwarding, and automatic replies to remove attacker changes.
- "How to recover a hacked or compromised Microsoft account" – including:
- For any cloud-only or synced user accounts that are still accessible:
- Reset passwords immediately (for synced accounts, reset in on-premises Active Directory and, if applicable, reset twice to mitigate pass-the-hash risk using Set-ADAccountPassword).
- Update or delete app passwords because they are not automatically revoked when passwords are reset.
- Enable and enforce multifactor authentication (MFA) on all recovered accounts, prioritizing any accounts that will hold admin roles.
- For each account that can still sign in and is suspected of compromise:
- Revoke active sessions using Microsoft Graph PowerShell as documented in "Respond to a compromised cloud email account" (for example, using
Revoke-MgUserSignInSession -UserId <UPN>after connecting withConnect-MgGraph -Scopes User.RevokeSessions.All). - Review and clean up:
- MFA registered devices and methods; remove any unrecognized devices or methods.
- Applications with user consent; revoke any suspicious or unnecessary app permissions.
- Mailbox forwarding rules and inbox rules; remove any attacker-created forwarding or exfiltration rules.
- Revoke active sessions using Microsoft Graph PowerShell as documented in "Respond to a compromised cloud email account" (for example, using
- Once at least one trusted account is recovered and can be elevated again by Microsoft (through support), re-establish secure admin practices as described in "Admin account security in Microsoft 365 for business":
- Maintain at least two emergency access (“break glass”) admin accounts that are:
- Dedicated to emergencies only.
- Excluded from MFA policies but protected with long, complex passwords (16+ characters).
- Apply least-privilege principles for all other admin roles; avoid using Global Administrator except when strictly necessary.
- Maintain at least two emergency access (“break glass”) admin accounts that are:
- If the attacker has changed all security information and removed all legitimate admin roles, and the self-service recovery and account recovery forms fail, tenant recovery is no longer possible through normal admin actions. In that case, the only remaining path is:
- Use the official Microsoft account recovery and hacked-account support flows referenced in the Q&A excerpts (account.live.com/acsr and related support entry points) from a trusted device and network, providing as much historical and billing/tenant ownership information as possible.
- If those automated and support-driven recovery processes do not restore control, the tenant is considered unrecoverable per the referenced Microsoft Q&A guidance, and a new tenant with hardened admin and security practices must be created.
After any level of access is restored, perform a full compromise response across the tenant using the guidance in "Respond to a compromised cloud email account": reset passwords, revoke sessions, review MFA methods, app consents, admin roles, and mail forwarders, and enable MFA broadly.
References:
- Respond to a compromised cloud email account
- Secure and Restore Email Function to a Compromised Microsoft 365 Mail Enabled Account
- Admin account security in Microsoft 365 for business
- How to recover a hacked or compromised Microsoft account
- Step 1 - Prevent user sign-in and block access to Microsoft 365
- Account management in Microsoft 365
- my microsoft account has been compromised - Microsoft Q&A
- My account got hacked - Microsoft Q&A
- Need help with hacked microsoft account - Microsoft Q&A
- Hacker set up continuous draft ransomware email - Microsoft Q&A
- hello my email was (Moderator note: PII removed)@icloud.com and now its (Moderator note: PII removed)@jerkoffmail.com can please someone help me and the team change it my username in xbox is (Moderator note: PII removed) please help me team and change it - Microsoft Q&A