In this blog post, we will explore a real-life scenario that demonstrates how to regain access to your Microsoft Entra Tenant in an emergency. The aim is to help you understand the steps to take if you accidentally lock yourself out due to improperly configured Conditional Access Policies.
It’s relatively easy to accidentally lock yourself out of your tenant, thus losing partial or complete administrative control. This post will walk you through the process of regaining access with the help of the Microsoft Support, and outline preventive measures to ensure a quicker resolution.
Regaining Access: A Step-by-Step Process
Let’s consider a situation where one or more Conditional Access Policies have been misconfigured, and even a Global Administrator is blocked from accessing the tenant. This could be due to manual changes or errors in automation of Conditional Access Policies.
If you work with a Cloud Solution Provider (CSP), they might assist you by modifying the Conditional Access Policies through their GDAP permissions, enabling you to regain access relatively quickly. If the CSP can’t help, the next step is to contact the Microsoft Support. In urgent cases, it’s advisable to open a “Sev A” support case, indicating that you are available 24/7 until the issue is resolved; otherwise, a “Sev B” support case might be sufficient.
Microsoft Support Process
The Microsoft 365 Data Protection Team manages cases by verifying tenant ownership through various methods. Here is the typical process:
- Query for a User Account with a Permanent Global Administrator Role:
- If such an account exists, and it’s a personalized one (e.g., [email protected]), several security questions will need to be answered. For security reasons, Microsoft does not communicate these requirements in advance.
- For non-personal accounts, such as “break glass” accounts, verification might occur via the technical contact’s mailbox to confirm tenant ownership. It’s mandatory to define your technical contact in your tenant.
- No Active Global Administrator
- Verification can proceed through a Verified Domain and an additional TXT-DNS record, which must be added to the public DNS zone of your Verified Domain.
- No Verified Domain (Only Using x.onmicrosoft.com in Your Tenant):
- Organization profile information such as company name, address, phone number, and your technical contact email address will be requested.
- If discrepancies are found between your provided information and the information in your tenant, official company registry documents may be required to confirm ownership.
To summarize, the most straightforward route to resolve such issues, is having a permanently assigned Global Administrator account, ideally personal with an associated mailbox. If this isn’t possible, defining a technical contact is crucial. In worst-case scenarios, official registration documents may be necessary.
Organization profile information
Under the following link you can view and edit the Organization Profile information of your tenant directly. It is highly recommended that you keep this information up to date and make a note of it.
Defining Your Technical Contact
To define your Technical Contact of your tenant, you can follow those steps:
- Open the Entra ID or Azure portal and navigate to Entra ID.
- Navigate to the Overview page.
- Go to the Properties section.
- Add a technical contact with the appropriate Entra ID role. The least priviledge role to execute this task is the Billing Administrator.
Customer Lockbox for Microsoft Azure
If the tenant is secured with Customer Lockbox for Microsoft Azure, then an approval of a Global Administrator is required to.
The problem here is that you will receive the email if your user has configured a valid email address, but you will not be able to approve this request due to incorrectly configured conditional access policies -> You will receive a block upon login.
Experience has shown that a screenshot with the login error message is sufficient for the Microsoft Engineer. This means you can have Customer Lockbox for Microsoft Azure active without any problems.
Edge Case: Lacking a Permanent Global Administrator
Not adhering to Microsoft’s best practices and lacking an active, permanently assigned Global Administrator complicates the verification process significantly. The Microsoft 365 Data Protection Team can only verify ownership through permanently assigned Global Administrators; having the Global Administrator role assigned as eligible for activation via Privileged Identity Management (PIM) is insufficient for the Data Protection Team.
To avoid these complications, Microsoft recommends creating two emergency access accounts (“break glass” accounts) that have permanently assigned Global Administrator roles. These accounts should be configured and monitored according to best practices outlined in the documentation.
Recommended Setup for Emergency Access Accounts
- Permanent Global Administrator Assignment:
- Create two emergency access accounts (break glass) and assign them permanently the Global Administrator role.
- Configuration and Monitoring:
- Follow the guidelines provided in the official Microsoft documentation on Emergency Access Accounts, ensuring they are properly configured.
- Refer to the detailed instructions and best practices shared by Oliver Müller in his insightful blog post.
By implementing these recommendations, you can ensure that your verification process is smoother and compliant with Microsoft’s security protocols.
Temporarily Disabling Conditional Access Policies
Once successfully verified, the Microsoft 365 Data Protection Team will temporarily remove the verified user from all the Conditional Access Policies for up to 24 hours. This ensures you can access the tenant and correct any misconfigured Conditional Access Policies.
According to a Microsoft Engineer, this process — from verification to regaining tenant access — usually takes about 4 hours for a “Sev A” case, though this isn’t guaranteed and may take longer.
Personal Learnings
Create and Maintain Break Glass Accounts: Ensure you have at least one, but ideally two, “break glass” accounts with the Global Administrator role permanently assigned. These accounts are crucial for emergency access and verification processes.
Regularly Update Organization Profile Information: Routinely check and update your Organization Profile information. Accurate and up-to-date information can make the verification process easier.
Monitor Break Glass Account Sign-Ins: Regularly verify that the sign-ins of your break glass accounts are functioning properly. Verify those sign-ins are monitored and you receive alerts.
Align with Microsoft’s Internal Processes: Respect and understand Microsoft’s internal processes, even though currently they don’t work with Global Administrators who are only eligible on activation via PIM for verification purposes. Being familiar with these requirements will help streamline any future interactions and avoid potential delays or complications.
By following these learnings, you can ensure a smoother and more efficient experience in managing and verifying your tenant, thereby aligning with best practices and minimizing the risk of complications.