Locked out of tenant for 4+ weeks – Identity Protection block, no resolution

Christopher Quinn 0 Reputation points
2025-08-11T06:25:01.2566667+00:00

I’ve been completely locked out of a Microsoft 365 / Azure tenant for over 4 weeks due to a Microsoft Entra ID (Azure AD) Identity Protection policy misconfiguration.

Only a break-glass account can sign in, but it does not have sufficient permissions to reverse the policy or assign roles.

I have already contacted Microsoft 365 Data Protection Team via a support ticket, but there has been no progress or resolution.

At this point, I need clear guidance on:

  • How to escalate this type of lockout so that a Global Admin account can be restored, or
  • If recovery is not possible, how to request tenant deletion to stop ongoing billing.

Any advice from Microsoft engineers or those who have successfully escalated similar cases would be greatly appreciated.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
{count} votes

2 answers

Sort by: Most helpful
  1. Monalisha Jena 330 Reputation points Microsoft External Staff Moderator
    2025-08-25T07:17:26.9266667+00:00

    Hello Christopher Quinn

    Thank you for posting your query on Microsoft Q&A.

    Answers to your queries:

    1. Request Tenant Deletion: If recovery is not possible, you may want to request the deletion of your tenant to stop any further billing. This typically involves contacting Microsoft support directly and specifying that you no longer wish to maintain the tenant.
    2. Escalate Your Support Ticket: Since you've already reached out to the Microsoft 365 Data Protection Team, consider escalating your support ticket. You can explicitly mention the urgency and that you've been locked out for over 4 weeks. Request to speak with a higher level of support or ask for a manager to review your case.
    3. Identify and Engage Your Customer Success Account Manager (CSAM) - If you have an assigned CSAM or Microsoft account team, contact them with “Global Admin lockout” severity.
      • Provide the tenant and ownership details.
      • Request that the Entra ID Engineering team temporarily disable or remove the Identity Protection policy blocking all Global Admins.
    4. If You Do Not Have a CSAM, Use Microsoft Support Phone Escalation - Call your regional Microsoft 365/Entra ID support phone number (available at https://support.microsoft.com/help/4051701/global-customer-service-phone-numbers).
    • Explain: “I am locked out as Global Admin due to an Entra ID Identity Protection policy misconfiguration. I can only sign in with a break-glass account that lacks privileges to make changes.”
    • Provide the tenant ownership documentation you gathered.
    • Ask explicitly for a backend intervention to disable or relax the blocking policy.

    If the above is not useful then we can also help you to engage the Data Protection team via a support ticket to unblock your access.

    To proceed, we will need a few details from you. As this information contains Personally Identifiable Information, please share the following details via private message:

    • Contact phone number (add +Country code)
    • Contact email address
    • Global admin email address (affected account)
    • Country
    • TimeZone
    • Affected subscription ID
    • Tenant ID

    Please send me the detail via private message.
    Hope this helps to resolve your issue.

    0 comments No comments

  2. Christopher Quinn 0 Reputation points
    2025-08-26T01:31:14.85+00:00

    After 6 weeks, its finally resolved. Thank you for your interest


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.