Partner lockout of Microsoft 365 tenant – looking for advice on next steps

Thanks for the responses so far. I realise I may not have explained myself properly earlier, and I probably also posted in the wrong forum — I understand this space is mainly for partners. I’m a customer, not a partner, but I was hoping to find the right expertise here.

To clarify the situation:

• Our entire organisation (30 Microsoft 365 licences, ~£100m turnover, 10,000+ customers) has been locked out of our tenant by our CSP/MSP.
• They used their delegated Global Admin account to disable access for everyone else — including our own Global Admins.
• All staff and directors are locked out of Exchange, Teams, SharePoint/OneDrive, and even Azure AD–authenticated workstations.
• The partner is explicitly conditioning restoration of access on payment of disputed invoices unrelated to Microsoft licence pass-through.

This is not a standard “CSP suspension”: in a suspension, customer Global Admins normally retain tenant access. In our case, the MSP is the only remaining Global Admin.

What I’ve done so far:

• Raised a ticket with Microsoft Support via phone and spoke with the Data Protection Team. They refused to help or initiate Tenant Ownership / Domain Verification, even though we still control DNS. Their position was that Microsoft policy does not allow intervention in disputes “between global admins.”
• I explained repeatedly this is not a dispute between admins within our organisation — it’s a dispute between our organisation and a Microsoft Partner who has hijacked the tenant. That distinction seems to have been ignored.
• I also contacted the Microsoft Partner Conduct / Business Conduct department with full details and evidence. It has now been 7 days with no human response.

The current situation is that the data processor (our MSP) is denying the data controller (us) access to very sensitive data, including corporate records, bank account details, ID documents, and financial transactions for thousands of customers. The case has already been reported to the UK Information Commissioner (ICO) as a personal data breach. But regulatory channels are not the quickest route to restore service.

My key questions:

1. From a customer perspective, who at Microsoft can actually initiate Tenant Ownership / Domain Verification so we can reassert Global Admin control?
2. Are there official Partner Code of Conduct rules that directly cover this misuse of delegated admin privileges?
3. Has anyone seen a similar case where access restoration was conditioned on disputed, non-Microsoft payments?
4. Any practical advice on balancing the technical fix (regaining tenant control) with the legal/regulatory side (ICO notification, Computer Misuse Act, possible injunction)?

My focus is simply on regaining secure access, protecting data/IP, and meeting compliance obligations. Any guidance or experiences from others would be very welcome.