Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Tenant lockouts can occur when all Global Administrators lose access due to misconfigured policies, expired credentials, or MFA failures. Partners play a critical role in preventing these issues by ensuring tenants are set up with redundancy, recovery options, and lifecycle awareness.
Checklist for Tenant Setup and GDAP Management
Partner should review the GDAP role guidance to find right roles to support the customers.
- Privileged Authentication Administrator is required for access related actions like password reset and MFA reset.
Partner should proactively review GDAP management features to assure the GDAP relationship with end customer doesn't expire.
Global Admin account redundancy
- Ensure each tenant has at least two Global Admin accounts with distinct credentials and MFA methods.
- Configure these accounts to support emergency access and avoid lockout during outages or authentication failures.
- For more information, see Secure access practices for administrators in Microsoft Entra ID.
Break-Glass Accounts
- Create emergency accounts excluded from Conditional Access policies.
- Use complex passwords and monitor sign-in activity for these accounts.
- For more information, see Manage emergency access admin accounts
Conditional Access Policy Design
- Avoid blanket policies that apply to all admins.
- Always test policies before deployment and exclude break-glass accounts.
- For more information, see Building Conditional Access policies in Microsoft Entra.
Emergency Recovery Planning & SSPR
- Document recovery procedures and ensure all admins know how to access emergency accounts.
- Encourage customers to configure Self-Service Password Reset (SSPR) and keep recovery methods up to date. For more information, see Self-service password reset deep dive.
Lifecycle Awareness
- Regularly review admin accounts and roles for activity and validity.
- Remove stale or unused admin accounts to reduce risk.
- For more information, see Best practices for Microsoft Entra roles.
Note
For any scenarios that involve the Customer tenant, Microsoft must work directly with a Global Administrator on the tenant where access issues are occurring. In most scenarios, if the Partner has the appropriate granular delegated admin permissions (GDAP), they should be able to help the customer without engaging with Microsoft. Customers and Partners should always try recovering access through the Self Service Password Reset tool before contacting Microsoft for support.
Tenant Lockout: Scenarios & Next Steps
Following are some scenarios which Partners & Customers can encounter and steps on how to resolve them.
To contact Microsoft Support: Find Microsoft 365 for business support phone numbers by country or region.
The scenarios are categorized in two broad categories:
- No GDAP Access or No Partner Relationship - This covers all scenario’s where the customer has no Partner Relationship or No GDAP Relationship with any Partners.
- GDAP Access – This covers all scenarios where the Partner has GDAP relationship with a customer, Since GDAP relies on Entra ID roles, it's important to understand what review the active roles to determine if a Partner can perform the request action.
Scenario 1.1: Password reset, MFA, or forgot username
GDAP Active with partner having Password reset roles. Customer has lost access to a tenant, needs a password, and the Partner has granular delegated admin privileges (GDAP) with the appropriate roles see Who can reset passwords for role guidance?
- The Partner should work directly with the customer to restore the access. There's no need to engage Microsoft.
Scenario 1.2: Password reset, MFA, or forgot username
GDAP Active with partner having no Password reset roles. Customer lost access to a tenant, needs a password, and the Partner has granular delegated admin privileges (GDAP) but doesn't have the roles required to reset User Password.
- Partners should help customers utilize the Self Service Password Reset tool to recover access.
- The end customer Global Administrator of the tenant must contact Microsoft for Support.
- For more information, see Find Microsoft 365 for business support phone numbers by country or region.
Scenario 2.1: Promote user to Global Administrator
Customer user needs to become Global Administrator on a tenant and the Partner has granular delegated admin privileges (GDAP) with the appropriate roles either Global Administrator or Privileged Role Administrator.
- The Partner should work directly with the customer to promote the user to global administrator. There's no need to engage Microsoft.
- For more information, see Manage users and licenses.
Scenario 2.2: Promote user to Global Administrator
Customer needs to become a Global Administrator on a tenant and the Partner doesn't have an Active GDAP Relationship or Doesn't have the right GDAP roles to elevate the user.
- Customer needs to find another global Administrator on the tenant to elevate this role, if no other Global Administrator is available then the Tenant Owner needs to contact Microsoft for Support.
- Find Microsoft 365 for business support phone numbers by country or region - Microsoft 365 admin | Microsoft Learn
Scenario 3: End customers GA lost access to their tenant and there's no other GA, but doesn't have a partner with GDAP access or need to establish a new GDAP relationship with a partner
- Partners should help customers utilize Self Service Password Reset tool to recover access.
- The end customer Global Administrator of the tenant must contact Microsoft for Support.
- For more information, see Find Microsoft 365 for business support phone numbers by country or region.
Scenario 4: Conditional Access Policy or Unusual Activity preventing tenant access for all end customers and Partner
- The end customer Global Administrator of the tenant can contact Microsoft for Support.
- For more information, see Find Microsoft 365 for business support phone numbers by country or region.
Scenario 5: Partner needs to create a Service Request on behalf of the Customer
- Partner needs to have an Active GDAP Relationship with the Service Support Administrator Role to create a Support Request on behalf of the Customer.
Scenario 6: Customer is unavailable in the Partner Center Portal
The GDAP partner is unable to see the end customer’s tenant in their Partner Center Dashboard.
- Partner should check with the customer if they accepted the reseller relationship link.
- If the partner set up GDAP administration without a reseller relationship for the end customer, the partner should check if the customer accepted.
- The Partner should contact Partner Center Support.
Scenario 7: Domain dispute
Customer needs to add their domain to a tenant, but the domain is held in a different Microsoft 365 tenant.
- If the end customer or partner is unable to remove the domain from the current tenant, the customer or partner needs to submit a Support Request.
- The end customer Global Administrator should create a Support Request with Microsoft from the tenant where they're trying to add the domain. Or the Partner can open a Service Request from the end customer’s tenant where they're trying to add the domain, on behalf of the customer.