Malicious Global Admin of Tenant

%3CLINGO-SUB%20id%3D%22lingo-sub-2799146%22%20slang%3D%22en-US%22%3EMalicious%20Global%20Admin%20of%20Tenant%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2799146%22%20slang%3D%22en-US%22%3EGood%20evening%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20apologize%20if%20this%20is%20the%20wrong%20place%20for%20this%20post%20but%20I%20made%20this%20account%20just%20to%20get%20some%20advice%20on%20this%20issue.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20work%20for%20a%20school%20who%20has%20a%20Microsoft%20365%20education%20tenant%20or%20we%20have%202%20actually.%20We%20were%20forced%20to%20make%20a%20new%20one%20after%20the%20global%20admin%20of%20the%20previous%20one%20took%20control%2C%20locked%20every%20single%20account%20and%20disappeared%20after%20the%20he%20was%20let%20go%20from%20the%20company.%20He%20was%20the%20original%20global%20admin%20and%20always%20was%20the%20only%20global%20admin%2C%20and%20because%20he%20was%20a%20company%20director%20we%20had%20no%20power%20to%20really%20add%20other%20global%20admins%20or%20seek%20control.%20But%20the%20company%20was%20the%20one%20who%20paid%20for%20the%20tenant%20and%20obviously%2C%20as%20we%20are%20a%20school%20there%20are%20thousands%20of%20files%20in%20the%20OneDrive%20accounts%20in%20that%20365%20tenant.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20have%20tried%20raising%20a%20support%20claim%20with%20Microsoft%20and%20gone%20through%20a%202-month%20process%20the%20fraud%20department%20investigating%20the%20tenant..who%20finally%20just%20emailed%20the%20global%20admin%2C%20who%20of%20course%20said%20he%20was%20the%20only%20global%20admin%20and%20there%20was%20no%20issue.%20They%20then%20closed%20the%20case.%20They%20didn't%20seem%20to%20understand%20our%20problem%20or%20our%20position..this%20former%20director%20has%20access%20to%20thousands%20of%20files%20posted%20by%20staff%2C%20students%2C%20company%20directors..everybody%20in%20the%20OneDrive%20accounts%20and%20has%20actively%20used%20them%20to%20try%20to%20damage%20the%20company's%20reputation%20yet%20they%20took%20an%20email%20from%20him%20as%20confirmation%20that%20there%20was%20no%20fraud%20and%20that%20was%20that.%3CBR%20%2F%3E%3CBR%20%2F%3EHe%20even%20took%20control%20of%20company%20social%20media%20accounts%20that%20were%20linked%20to%20email%20addresses%20in%20the%20tenant.%20We%20were%20able%20to%20get%20some%20back%20through%20the%20services%20themselves%2C%20Instagram%20got%20example%2C%20but%20others%20are%20still%20inaccessible.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20were%20not%20given%20any%20opportunity%20to%20try%20to%20prove%20that%20we%20were%20the%20rightful%20owners%20of%20the%20tenant%20which%20I%20think%20we%20should%20have%20been%20and%20I%20really%20don't%20know%20what%20our%20next%20step%20is.%20We've%20even%20tried%20approaching%20the%20physical%20offices%20of%20Microsoft%20in%20the%20country%20we're%20based%20but%20not%20even%20had%20a%20response.%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20advice%20would%20be%20useful%20at%20this%20point.%3CBR%20%2F%3EYes%20we%20have%20a%20new%20tenant%20but%20obviously%20we%20want%20the%20old%20one%20back%20or%20completely%20deactivated%20and%20all%20files%20deleted.%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2799146%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eglobal%20admin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETenant%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor
Good evening,

I apologize if this is the wrong place for this post but I made this account just to get some advice on this issue.

I work for a school who has a Microsoft 365 education tenant or we have 2 actually. We were forced to make a new one after the global admin of the previous one took control, locked every single account and disappeared after the he was let go from the company. He was the original global admin and always was the only global admin, and because he was a company director we had no power to really add other global admins or seek control. But the company was the one who paid for the tenant and obviously, as we are a school there are thousands of files in the OneDrive accounts in that 365 tenant.

I have tried raising a support claim with Microsoft and gone through a 2-month process the fraud department investigating the tenant..who finally just emailed the global admin, who of course said he was the only global admin and there was no issue. They then closed the case. They didn't seem to understand our problem or our position..this former director has access to thousands of files posted by staff, students, company directors..everybody in the OneDrive accounts and has actively used them to try to damage the company's reputation yet they took an email from him as confirmation that there was no fraud and that was that.

He even took control of company social media accounts that were linked to email addresses in the tenant. We were able to get some back through the services themselves, Instagram for example, but others are still inaccessible.

We were not given any opportunity to try to prove that we were the rightful owners of the tenant which I think we should have been and I really don't know what our next step is. We've even tried approaching the physical offices of Microsoft in the country we're based but not even had a response.

Any advice would be useful at this point.
Yes we have a new tenant but obviously we want the old one back or completely deactivated and all files deleted.
1 Reply

@Ploobz1 Being a global admin is like having the keys to your house, and the permission to do anything with it. I do not know how you would prove that this tenant belongs to you, when the person with the keys and access to everything claims everything is fine. In this case, I would seriously consider legal action towards the person who hijacked the tenant, I do not really see any other path to be honest. Microsoft probably did what they could do.

 

Some advice for the future: make sure that the people with Global Admin permissions are trustworthy, preferably people within the organization, and make sure there's more than one (but also not too many, Microsoft recommends max. 5). Give any other administrators the permissions they need, according to the 'least privilege' method, eg. don't make someone a Global Admin that only needs to do something in SharePoint Online.