Can a single misconfiguration lock your entire Microsoft 365 organisation out?
The short answer is yes.
An IT admin recently shared a nightmare scenario: their entire Microsoft 365 tenant became inaccessible overnight. No Teams. No SharePoint. No email. Even the Global Admin was locked out and stuck in an MFA loop with no way in.
What caused it?
A well-intentioned security policy. A Conditional Access rule was enabled requiring Microsoft Authenticator for MFA. But none of the users, including admins, had it configured. The result? Every account got caught in an MFA loop, with no escape and no admin access to undo the change. And without admin access, there’s no rolling the policy back.
So how do you fix it?
The bad news is you can’t – not by yourself. The only option is contacting Microsoft Support, verifying your identity, and requesting a temporary bypass. In this case, it took a 24-hour admin access reset window and hours of back-and-forth with support to get back in.
Avoid this disaster with emergency access accounts.
Microsoft recommends every tenant has at least two emergency (or “break-glass”) Global Admin accounts. These should:
- Be excluded from all Conditional Access and MFA policies
- Not be used for everyday tasks
- Be protected with strong, offline-stored credentials
- Be closely monitored for any sign-in activity
- Regularly test the accounts and regenerate the password quarterly
They’re your last resort – use them only in emergencies.
Ensure you’re ready
We take the stress away. In just a few hours, the expert team at Complete IT Systems can set this up for you and provide a YubiKey. Contact us today to get started, or read more about our professional services here.
