![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 52%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Follow these steps to recover access when Conditional Access has locked out all admins and users:
- Check for any unblocked admin accounts
- If there is any other administrator account that can still sign in (for example, a break-glass/emergency account or another global admin), use that account to:
- Go to the Microsoft Entra admin center.
- Locate the Conditional Access policy (or policies) causing the block.
- Disable or modify the policy so that:
- Admin accounts are excluded, and
- At least one emergency access account is excluded going forward.
- If there is any other administrator account that can still sign in (for example, a break-glass/emergency account or another global admin), use that account to:
- If no admin can sign in at all
- When all admins are locked out, recovery must be done by Microsoft support:
- Submit a support request as the tenant admin:
- Use the guidance in How to get support to open a support ticket.
- Clearly state that all administrators are locked out due to Conditional Access and that you need Conditional Access policies updated to restore access.
- If you cannot open a ticket from the tenant because no one can sign in:
- Call Microsoft’s global customer service phone number for business/enterprise support (see “Customer service phone numbers - Microsoft Support” in the context articles).
- When navigating the IVR, indicate:
- Product: Office 365 / Microsoft 365 for business.
- Issue: Authenticator / Conditional Access lockout / admin locked out.
- Account type: Company/organization.
- Confirm that you are the tenant administrator and that there are no other admins.
- Ask specifically to create a service request with the Microsoft Data Protection team to reset or adjust Conditional Access so that an admin can sign in again.
- Submit a support request as the tenant admin:
- When all admins are locked out, recovery must be done by Microsoft support:
- Optional workaround if you cannot reach support directly
- If support channels require a signed-in admin to open a ticket, create a temporary trial Microsoft 365 tenant (separate from the locked tenant) and:
- Sign in to the new tenant’s Microsoft 365 Admin Center.
- Use Help & support to open a ticket.
- In the ticket, clearly state that:
- You are locked out of a different, existing tenant.
- You are the only admin on that tenant.
- Conditional Access has blocked all admin access.
- You need the Data Protection team to help restore access or adjust Conditional Access on the original tenant.
- After the issue is resolved, cancel the trial subscription to avoid charges.
- If support channels require a signed-in admin to open a ticket, create a temporary trial Microsoft 365 tenant (separate from the locked tenant) and:
- Prevent future lockouts once access is restored
- After regaining access, immediately:
- Create and configure at least one emergency access (break-glass) account and exclude it from all Conditional Access policies.
- Review all Conditional Access policies and ensure:
- At least one admin account or group is excluded from restrictive policies.
- Service accounts and service principals are handled appropriately.
- After regaining access, immediately:
These steps align with Microsoft’s documented guidance: if another admin exists, that admin disables or fixes the policy; if no admin can sign in, Microsoft support (Data Protection team) must intervene to update the Conditional Access policies that prevent access.
References:
- Troubleshoot sign-in problems with Conditional Access
- Plan a Conditional Access deployment
- Conditional Access policy templates
- Troubleshooting conditional access authentication
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- I cant log in to my business account because it is requiring Authenticator app which I do not have - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A
- Microsoft authenticator sending me into a spiral - Microsoft Q&A