Forum Discussion
Partner lockout of Microsoft 365 tenant – looking for advice on next steps
Hello all,
I’d appreciate some guidance from the community on a serious situation we are facing.
On 12 September 2025, our Microsoft partner unilaterally locked us out of our Microsoft 365 tenant. They retained exclusive Global Administrator / Partner Delegated Admin rights, which means:
- All staff and directors are unable to access email, Teams, SharePoint/OneDrive, or even log into their Azure AD-authenticated workstations.
- Our corporate and staff personal data is now inaccessible to us as the controller.
- Access restoration has been explicitly conditioned on payment of a disputed invoice (not related to Microsoft licence pass-through).
This raises several concerns:
- Operational: we are effectively paralysed.
- Security/IP: the partner still has exclusive access to proprietary source code and other confidential business data.
- Compliance: we cannot meet our GDPR/UK DPA obligations on availability of personal data while locked out.
We contacted Microsoft Business Conduct on Friday evening with full details of the incident, but so far no human response has been received to those emails.
Questions for the community
- From a Microsoft tenancy perspective – what’s the fastest/most effective way to remove a partner’s delegated admin access if they refuse to release it voluntarily?
- Has anyone experienced or seen a similar scenario where access was conditioned on disputed payments?
- Are there formal Microsoft Partner Code of Conduct provisions that directly address this type of misuse of delegated admin rights?
- Any practical lessons on balancing the technical fix (regaining control of the tenant) with the legal approach (injunction, regulatory notifications)?
My focus is on regaining secure access, protecting data/IP, and ensuring compliance.
Any experience, insight, or links to Microsoft policy/resources would be greatly appreciated.
You may want to try posting this message in the Microsoft 365 admin center | Microsoft Community Hub for help as this community is for partners, not for customers unfortunately. 🙁
9 Replies
- ErmsergCopper Contributor
Thanks for the responses so far. I realise I may not have explained myself properly earlier, and I probably also posted in the wrong forum — I understand this space is mainly for partners. I’m a customer, not a partner, but I was hoping to find the right expertise here.
To clarify the situation:
- Our entire organisation (30 Microsoft 365 licences, ~£100m turnover, 10,000+ customers) has been locked out of our tenant by our CSP/MSP.
- They used their delegated Global Admin account to disable access for everyone else — including our own Global Admins.
- All staff and directors are locked out of Exchange, Teams, SharePoint/OneDrive, and even Azure AD–authenticated workstations.
- The partner is explicitly conditioning restoration of access on payment of disputed invoices unrelated to Microsoft licence pass-through.
This is not a standard “CSP suspension”: in a suspension, customer Global Admins normally retain tenant access. In our case, the MSP is the only remaining Global Admin.
What I’ve done so far:
- Raised a ticket with Microsoft Support via phone and spoke with the Data Protection Team. They refused to help or initiate Tenant Ownership / Domain Verification, even though we still control DNS. Their position was that Microsoft policy does not allow intervention in disputes “between global admins.”
- I explained repeatedly this is not a dispute between admins within our organisation — it’s a dispute between our organisation and a Microsoft Partner who has hijacked the tenant. That distinction seems to have been ignored.
- I also contacted the Microsoft Partner Conduct / Business Conduct department with full details and evidence. It has now been 7 days with no human response.
The current situation is that the data processor (our MSP) is denying the data controller (us) access to very sensitive data, including corporate records, bank account details, ID documents, and financial transactions for thousands of customers. The case has already been reported to the UK Information Commissioner (ICO) as a personal data breach. But regulatory channels are not the quickest route to restore service.
My key questions:
- From a customer perspective, who at Microsoft can actually initiate Tenant Ownership / Domain Verification so we can reassert Global Admin control?
- Are there official Partner Code of Conduct rules that directly cover this misuse of delegated admin privileges?
- Has anyone seen a similar case where access restoration was conditioned on disputed, non-Microsoft payments?
- Any practical advice on balancing the technical fix (regaining tenant control) with the legal/regulatory side (ICO notification, Computer Misuse Act, possible injunction)?
My focus is simply on regaining secure access, protecting data/IP, and meeting compliance obligations. Any guidance or experiences from others would be very welcome.
- RobertHemsleyBrass Contributor
Hi Ermserg
This is a really serious (and unfortunately not unheard of) situation. Thanks for sharing the full context.
I have a couple of questions which would help me understand the situation a bit clearer. How do you currently purchase your M365 licenses, is it under an agreement like EA or CSP? Secondly, do admins still have access to data?
To answer your questions:
- From a Microsoft tenancy perspective – what’s the fastest/most effective way to remove a partner’s delegated admin access if they refuse to release it voluntarily?
You can manage rights and permissions to your Microsoft 365 accounts on the Partner relationships page in the Microsoft 365 Admin Center. On this page, you can:
- See which partners you have a relationship with, and which partners have GDAP.
- Remove a partner's GDAP from your tenant.
- Has anyone experienced or seen a similar scenario where access was conditioned on disputed payments?
Yes, when purchasing via CSP, Partners can suspend a subscription to temporarily disable the services to customers. The Suspend state is designed to help in dunning scenarios since users cannot access files and services, although customer administrators can still access data. Partners continue to be billed when a subscription is suspended.
- Are there formal Microsoft Partner Code of Conduct provisions that directly address this type of misuse of delegated admin rights?
Yes, there is a partner code of conduct which outlines protection of information and ethical business practices. However, going back to the previous question, I suspect that your subscription have been suspended rather than using any admin privileges to to block access. The GDAP framework itself, which replaced the less secure Delegated Admin Privileges (DAP), was designed specifically to minimize potential for misuse.
- Any practical lessons on balancing the technical fix (regaining control of the tenant) with the legal approach (injunction, regulatory notifications)?
This is not something I could advise on however the Microsoft Customer Agreements does have wording around subscription suspensions for non payments.
Something else to note is that you do also have the option to transfer your subscriptions to a different partner. You have outlined that your invoice dispute does not relate to your licenses so could this potentially be an option?
- ErmsergCopper Contributor
I'm a customer not a partner
- ErmsergCopper Contributor
How do you currently purchase your M365 licenses, is it under an agreement like EA or CSP?
Through the same Partner
Secondly, do admins still have access to data?
Only Partner's account with global admin rights have access. All our users including three other global admins have been locked out by MSP
I don's have access to Admin Center or Entra or Azure since the lock out.
- RobertHemsleyBrass Contributor
Hi Ermserg
Just to clarify, are you licenses via an EA, CSP or other?
When a Microsoft CSP subscription is suspended, users lose access to services and data. However, administrators retain access to service data and properties, placing the subscription in a data retention mode.
If this is not a suspension and your own global admins have been locked out of the tenant, then that does sound like a serious concern and my advice would be to have this escalated with Microsoft by first starting a support request.
- JillArmourMicrosoft
Community Manager
You may want to try posting this message in the Microsoft 365 admin center | Microsoft Community Hub for help as this community is for partners, not for customers unfortunately. 🙁
- JillArmourMicrosoft
Community Manager
Ermserg are you a customer of a Microsoft partner? I don't know anything about what you are asking and I don't think this is the appropriate area to post about it, so I am actively looking for some resources for you to scope out. Also tagging some super users in case they have any ideas, thanks so much in advance guys!
Also moving this to our Partner-led tech topics board until I can figure out a better place for your inquiry.
nick_Anag MartijnElfers ahart3 sansbacher RobertHemsley
- sansbacherBrass Contributor
Ermserg ,
I have no idea... if I understand you correctly: you're a CUSTOMER, not an MS PARTNER -- but you have an association WITH a Partner, and now that partner has locked you (the customer) out of your own Tenant? Is that right?
That seems shady to me, and not something I could see a legit MSP/CSP/MSSP doing (even if they wrote into that into their contract language, around missed invoices/bills). Essentially they have "stolen" or "hijacked" your Tenant and are holding it "hostage".
A recent /r/msp post implies calling the "data protection team at 18006427676" might help (even if that is only for Partners maybe they would know what to do when a Partner goes rogue?).
https://www.reddit.com/r/msp/comments/1niyihb/embarrassing_mistake_with_microsoft/
There's definitely a spot in the O365 portal for each Tenant where you can view GDAP and Partner registrations. But of course you need to get in there and be a Global Admin to do that. But if they are locking you out they probably also have their own Global Admin account, maybe multiple - meaning they can undo whatever you do if they're faster.
So you need to: A) find a new MS Partner, B) they or you need to contact MS re: restoring access to your Tenant, and C) they need to audit and remediate any possible security issues and lock the original Partner out.
Dealing with any unpaid invoices would be between you and the original Partner, but shouldn't involve your Tenant (even if the unpaid Invoice was for O365 related licenses).
If they continue to thwart you perhaps the Police could be involved? But I have to think Microsoft has a way to seize control of the Tenant and return it to its rightful owner - but that would be a JillArmourMicrosoft question I think (hope).
--Saul
- JillArmourMicrosoft
Community Manager
I don't know anything from a customer perspective. All my resources are focused on partners, but I have provided a link in my earlier response to a board that may be more helpful to publish this inquiry on.
Sounds awful and I'm so sorry that this has happened to you. I hope you get it figured out quickly. ❤️