Mar 17 2017 12:03 PM
So an admin created a conditional access policy that I can only assume was set to all users/all apps and has locked us out of our admin portal. Is there a way to gain access to turn this policy off? I've contact MS but haven't had much luck at this point.
Aug 23 2017 05:53 PM
Please can you tell me if you sorted this and how. i have the same issue
Nov 26 2017 12:23 PM
I am having the same issue and Microsoft support hasn't been responsive. How did you get this resolved?
Nov 26 2017 12:29 PM
Dont panic like i did. this is fixable. i called one of these number cant remember which one.
they logged a ticket. and within 24hrs this was fixed.
0344 800 2400
0800 032 6417
Hope that helps.
Nov 26 2017 12:33 PM
Do you remember if that is 365 support or Azure support (I'm in the US so I would have different numbers)? I finally spoke to an engineer at 365 support yesterday, he told me he couldn't do anything and I had to file a web support request with Azure, which I did. I can't seem to find a phone number for Azure.
Nov 26 2017 12:48 PM
The 0800 number was the one i think i used. And they will be able to give you a US number if you call them anyway.
Or you can try this too
https://docs.microsoft.com/en-us/intune/phone-support-contact
Nov 27 2017 06:11 AM
Microsoft support is a joke. I'm on an E3 plan and the best they can tell me is Monday or Tuesday.
Mar 17 2019 07:13 AM
Mar 18 2019 06:34 AM
@Christian_gb I'm sorry to hear you are experiencing this. I got passed from group to group with no help. Eventually I was able to find one PC that was joined to the Azure AD domain and was 'compliant' so it was able to login to the portal using my admin account and turn off the conditional access. I wish I had better news for you.
I would try to think about what policy settings you enabled for conditional access and then try to get a PC to meet those settings, for example joining to the Azure AD.
I wish you luck!
Mar 19 2019 05:45 PM
@mwhitley Thanks for getting back to me. Sadly I wasn't able to get back in the way you suggested as the CA policy was setup in error and should never have been applied in the first place. It didn't have ANY grant controls in place- only block! Pleased to say that my whole ordeal is finally over!
I thought I'd just leave what my experience was like here for other admins who managed to do something similar....
I managed to accidentally enable a CA policy on a live environment before the policy had finished being setup- it definitely wasn't ready for deployment! The result was a total lockout of all users on my tenant to all services other than Exchange (including all my global admin accounts because exclusions had not yet been applied to these accounts).
It turns out you have to raise a ticket through the Azure Portal (which I was locked out of- had to use a different company's tenant to do this). They have since told me that you can use the phone numbers at the following link if locked out of the portal. At the time I couldn't find these numbers.(https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers)
They escalated my support ticket all the way to the Azure Product Group (who are above the technical support team and so far as I was informed they don't work 24x7). In my case, the tool they use in the backend of the systems to let admins back in to the tenant was broken. This meant they had to have their engineers fix it before they could let me back in. (In total it took 48 hours total from initial lockout to getting back in- but this did include a Sunday as well as a Monday...).
I was told that it normally takes closer to 4 hours to be let back in after a CA lockout but I'm not sure if that's from the point the ticket is escalated to the Azure Product Group or from initial ticket submission. They clearly seemed to think that I'd been particularly unlucky with my timing of the whole thing!
In the end, the Product Group were able to use the tool to exclude my Global admin account from the offending CA policy which let me go back into the Portal and disable it.
The whole endeavour showed that the processes in place within Microsoft for resolving CA lockouts should work relatively smoothly but in my case didn't due to unavoidable circumstances on the Product Group's part.
I suggest that any other admin who has to go through this make sure that they initially report the case to the Azure Support team as O365 Support cannot even escalate a case to the Azure team. Make sure the Azure AD Support team know it has to be escalated to the Product Group. Once it has been escalated this far it's then a case of waiting for them to work their magic.
If you phone Office 365 support you will be escalated to the Data Protection team who won't be able to help you (unless you need them to reset your password to your account!).
I hope this helps other admins going through a CA lockout. When I had the misfortune of having to go through this whole thing there was very little info on forums other than @mwhitley's post.
I will definitely review CA policies more carefully in future!!!
Mar 19 2019 09:04 PM
@Christian_gb I'm glad to hear that you were able to get this resolved and thank you for sharing the method! I tried to go through O365 support and they were no help, it is great to know the Azure support team was able to help you. I'm glad you're back in operation!
Aug 27 2020 05:31 AM