Skip to Content

What Happens When Admins Lock Themselves Out (An MSP Owner’s Perspective)

January 5, 2026 by
Jaspreet Singh
person using black laptop computer


As an MSP owner, I’ve dealt with ransomware alerts, failed backups, expired certificates, and late-night firewall outages. But some of the most painful incidents I respond to don’t involve attackers at all. They happen when admins lock themselves out of their own tenant. When this happens, the damage goes beyond technical issues. It affects operations, finances, and your reputation.

How Admin Lockouts Actually Happen (What I See in the Real World)

Almost every lockout starts with good intentions.

1. Conditional Access Rolled Out Too Fast

A common scenario I see:

  • “Let’s block risky countries.”
  • “Let’s require MFA for everyone.”
  • “Let’s apply it tenant-wide.”

One small mistake:

  • Policy applies to all users, including admins
  • No exclusions
  • No emergency access

Suddenly, no one can sign in, not even the people who are supposed to fix the problem.

2. MFA Changes Without Backup Options

Another frequent cause:

  • Admin gets a new phone
  • The Authenticator app isn’t migrated properly
  • SMS or backup methods were never configured

If every global admin depends on a single MFA method, one lost device can take down admin access entirely.

3. Legacy Authentication Disabled at the Wrong Time

Disabling legacy authentication is definitely the right move, but timing is important.

I’ve seen lockouts when:

  • Admin tools or scripts still rely on legacy auth
  • Service accounts weren’t updated
  • Policies were enforced immediately without testing

The result?

Admins lose access before they can correct the dependencies.

4. “We Only Have One Global Admin.”

This one is more common than it should be. (Preventing Tenant Lockouts - Partner Center | Microsoft Learn, 2025)In smaller environments, I still see:

  • One global admin
  • Same account used daily
  • Same MFA method
  • No separation of roles

If that account gets locked, the business loses access to everything it needs.

What Actually Happens After an Admin Lockout

Here’s what the business actually goes through. This isn’t just theory; it’s what really happens:

  • ❌ Email admin controls are inaccessible
  • ❌ Security alerts piling up with no way to respond
  • ❌ License management frozen
  • ❌ User onboarding and offboarding stalled
  • ❌ External support escalations that cost time and money

In some cases, Microsoft support recovery can take days. During that time, the business is left in the dark. (Microsoft Professional Support (pay-per-incident): FAQ, 2024)

Why This Is Especially Dangerous for SMBs

Large enterprises usually have:

  • Multiple admin tiers
  • Dedicated identity teams
  • Formal change control

SMBs often don’t. 

Which means:

  • Fewer admins
  • Faster changes
  • Less testing
  • Higher blast radius

One lockout can impact the entire company. (Rabinovich, 2021)

How We Prevent This as an MSP

That’s why, for every tenant we manage, we have a few rules that we never skip:

  • At least two emergency access (break-glass) accounts
  • Admin accounts excluded from risky Conditional Access policies
  • Multiple MFA methods per admin
  • Clear separation between daily-use and admin-only accounts
  • Changes tested before global enforcement

These controls aren’t just optional extras.

They are essential for keeping the business running. (What to Do When Your Global Admin is Unable to Log In to the Tenant, 2025)

Final Thoughts (From Experience)

Admin lockouts rarely make the news, but they do cause real downtime. And the worst part?

They’re completely preventable If your tenant doesn’t have emergency access accounts today, you aren’t truly secure. You could be just one policy change away from an outage.an outage. (Manage emergency access admin accounts - Microsoft Entra ID, 2024)

I write about real-world Microsoft 365 and security lessons from what I see every day while managing SMB environments at MSPinsights.ca. This isn’t theory—these are lessons learned from real experience.If this article made you uncomfortable, that’s a good thing.

It means you caught the risk before it caught you.


Jaspreet Singh is an MSP owner and the Founder & CEO of Accelerate IT Services Inc, writing practical, real-world IT and security insights at MSPinsights.ca.



References

(2025). Preventing Tenant Lockouts - Partner Center | Microsoft Learn. Microsoft Learn. https://learn.microsoft.com/en-us/partner-center/customers/gdap-preventing-tenant-lockouts

(2024). Microsoft Professional Support (pay-per-incident): FAQ. Microsoft Support. https://support.microsoft.com/en-au/topic/microsoft-professional-support-pay-per-incident-faq-575821bc-17bb-7484-4935-334c5437639f

Rabinovich, P. (2021). Guidance for Microsoft 365 Identity and Access Management. Gartner Research. https://www.gartner.com/en/documents/4009105-guidance-for-microsoft-365-identity-and-access-management

(2025). What to Do When Your Global Admin is Unable to Log In to the Tenant. SilverPC Blog. https://blog.silverpc.hu/2025/10/22/what-to-do-when-your-global-admin-is-unable-to-log-in-to-the-tenant/

(2024). Manage emergency access admin accounts - Microsoft Entra ID. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access

Why SMBs Should Block Risky Countries (And Why We Do This by Default)