Admin locked out users from azure portal by mistake with Conditional Access

Visitor

So an admin created a conditional access policy that I can only assume was set to all users/all apps and has locked us out of our admin portal. Is there a way to gain access to turn this policy off? I've contact MS but haven't had much luck at this point.

11 Replies

Please can you tell me if you sorted this and how. i have the same issue

I am having the same issue and Microsoft support hasn't been responsive. How did you get this resolved?

Dont panic like i did. this is fixable. i called one of these number cant remember which one.
they logged a ticket. and within 24hrs this was fixed.

0344 800 2400

0800 032 6417

 

Hope that helps.

Do you remember if that is 365 support or Azure support (I'm in the US so I would have different numbers)? I finally spoke to an engineer at 365 support yesterday, he told me he couldn't do anything and I had to file a web support request with Azure, which I did. I can't seem to find a phone number for Azure.

 

The 0800 number was the one i think i used. And they will be able to give you a US number if you call them anyway.
Or you can try this too

https://docs.microsoft.com/en-us/intune/phone-support-contact

 

Microsoft support is a joke. I'm on an E3 plan and the best they can tell me is Monday or Tuesday. 

Which department was it they escalated to in order to let you back in? I have the same issue but affecting all apps. They have escalated to the Azure Product team but I am not sure this is right. I have already been through Data Protection team, O365 support team and Azure Support team. Please help!

@Christian_gb I'm sorry to hear you are experiencing this. I got passed from group to group with no help. Eventually I was able to find one PC that was joined to the Azure AD domain and was 'compliant' so it was able to login to the portal using my admin account and turn off the conditional access. I wish I had better news for you. 

 

I would try to think about what policy settings you enabled for conditional access and then try to get a PC to meet those settings, for example joining to the Azure AD.


I wish you luck!

@mwhitley Thanks for getting back to me. Sadly I wasn't able to get back in the way you suggested as the CA policy was setup in error and should never have been applied in the first place. It didn't have ANY grant controls in place- only block! Pleased to say that my whole ordeal is finally over!

 

I thought I'd just leave what my experience was like here for other admins who managed to do something similar....

 

I managed to accidentally enable a CA policy on a live environment before the policy had finished being setup- it definitely wasn't ready for deployment! The result was a total lockout of all users on my tenant to all services other than Exchange (including all my global admin accounts because exclusions had not yet been applied to these accounts).

 

It turns out you have to raise a ticket through the Azure Portal (which I was locked out of- had to use a different company's tenant to do this). They have since told me that you can use the phone numbers at the following link if locked out of the portal. At the time I couldn't find these numbers.(https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers)

 

They escalated my support ticket all the way to the Azure Product Group (who are above the technical support team and so far as I was informed they don't work 24x7). In my case, the tool they use in the backend of the systems to let admins back in to the tenant was broken. This meant they had to have their engineers fix it before they could let me back in. (In total it took 48 hours total from initial lockout to getting back in- but this did include a Sunday as well as a Monday...).

 

I was told that it normally takes closer to 4 hours to be let back in after a CA lockout but I'm not sure if that's from the point the ticket is escalated to the Azure Product Group or from initial ticket submission. They clearly seemed to think that I'd been particularly unlucky with my timing of the whole thing!

 

In the end, the Product Group were able to use the tool to exclude my Global admin account from the offending CA policy which let me go back into the Portal and disable it.

 

The whole endeavour showed that the processes in place within Microsoft for resolving CA lockouts should work relatively smoothly but in my case didn't due to unavoidable circumstances on the Product Group's part.

 

I suggest that any other admin who has to go through this make sure that they initially report the case to the Azure Support team as O365 Support cannot even escalate a case to the Azure team. Make sure the Azure AD Support team know it has to be escalated to the Product Group. Once it has been escalated this far it's then a case of waiting for them to work their magic.

 

If you phone Office 365 support you will be escalated to the Data Protection team who won't be able to help you (unless you need them to reset your password to your account!).

 

I hope this helps other admins going through a CA lockout. When I had the misfortune of having to go through this whole thing there was very little info on forums other than @mwhitley's post.

 

I will definitely review CA policies more carefully in future!!!

@Christian_gb I'm glad to hear that you were able to get this resolved and thank you for sharing the method! I tried to go through O365 support and they were no help, it is great to know the Azure support team was able to help you. I'm glad you're back in operation!

Thank you. 48h and I’ve found your solution, finally some light at the end of the tunnel. I’ve had my ticket now forwarded to the Product Group for them to exclude Admin accounts from the problematic CA. :australia: