![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 87%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES9%3C/text%3E%3C/svg%3E)
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,766 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @StipsitsMatt-9952 ,
Thanks for sharing this question! I'll answer this question in two parts - first with a preventative approach and second with a reactive approach.
We have quite a bit of documentation that covers the preventative/proactive approach, and some of the best practices include:
- Regularly documenting the state of your Microsoft Entra ID tenant and its objects.
- Exporting audit logs to Microsoft Sentinel.
- Using workbooks to track configuration changes
- Using a least privilege model
- Using Azure Backup to create long-lived, read-only data snapshots for use in recovery.
- Implementing geo-redundant storage or another form of Data Replication to create real-time or near-real-time copies of live data in multiple data store replicas with minimal data loss in mind.
- Using the Azure Site Recovery service to manage replication, failover, and failback
- Creating a break-glass global admin account for emergency access.
References:
Microsoft Entra ID Disaster Recovery best practices
Once the damage is already done though, in the scenario you described where all global admin accounts have been hijacked, your options are more limited like you said. Your best options would be to:
- Call the Azure Data Protection team to get unlocked. Their phone number is (866-807-5850). You will need to prove your ownership of the tenant.
- Contact the technical support team via phone support.
The options are restrictive as a security measure. Social engineering could be occurring by a malicious actor to gain unauthorized access to an Entra ID tenant, so steps are put in place to validate the tenant's ownership and ensure that only the rightful owners have access.
Let me know if this helps and if you have further questions.
If the information helped you, please Accept the answer. This will help us and improve discoverability for others in the community who may be researching similar questions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 46%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)