[{"data":1,"prerenderedAt":126},["ShallowReactive",2],{"article-slug-microsoft-365-tenant-lockout-after-unauthorized-admin-removal":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":29,"sources":30,"events":43,"mitre_techniques":47,"mitre_mitigations":59,"d3fend_countermeasures":73,"iocs":84,"cyber_observables":85,"tags":102,"extract_datetime":108,"article_type":109,"impact_scope":110,"pub_date":40,"reading_time_minutes":125,"createdAt":108,"updatedAt":108},"ee9033d1-6155-427b-a9e0-e7cc5eed8130","microsoft-365-tenant-lockout-after-unauthorized-admin-removal","Microsoft 365 Admins Locked Out of Tenant After Attacker Removes All Global Admin Roles","Business-Critical Incident: Attacker Achieves Tenant Lockout by Removing All Microsoft 365 Global Administrators","An organization has reported a 'business-critical security incident' after a malicious actor gained access to their Microsoft 365 tenant and systematically removed the 'Global Administrator' role from all assigned user accounts. This action resulted in a complete administrative lockout, preventing legitimate administrators from accessing the Microsoft 365 Admin Center and Microsoft Entra ID. The attack highlights a potent technique where attackers, after compromising a single privileged account, can cement their control and prevent remediation by decapitating the tenant's administrative structure. The organization is now reliant on Microsoft's Data Protection team to verify ownership and restore access.","## Executive Summary\nAn organization has suffered a complete administrative lockout from its **[Microsoft 365](https://docs.microsoft.com/en-us/microsoft-365)** tenant after a threat actor compromised an administrative account and then maliciously removed the 'Global Administrator' role from all other privileged users. This devastating attack left the organization's IT staff unable to access critical management portals, including the Microsoft 365 Admin Center and **[Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/microsoft-entra)**. The incident, described by the victim as a \"business-critical security incident,\" effectively paralyzes identity management, security, and compliance functions. This scenario, known as a 'tenant lockout,' is a worst-case scenario for cloud administrators and underscores the critical need for emergency access controls and robust monitoring of privileged role assignments.\n\n## Threat Overview\nThe attack is a simple but highly effective method for an attacker to escalate and maintain control after an initial compromise.\n\n**Attack Chain:**\n1.  **Initial Compromise:** The attacker first gains access to a single account with the Global Administrator role. This is typically achieved through phishing, password spraying, or exploiting the lack of Multi-Factor Authentication (MFA).\n2.  **Privilege Escalation / Defense Evasion:** The attacker logs into the Microsoft Entra ID portal.\n3.  **Execution:** The attacker navigates to the 'Roles and administrators' section and systematically removes the Global Administrator role assignment from every other user account, including the one they originally compromised to cover their tracks.\n4.  **Impact:** The organization is now completely locked out. No legitimate user has the permissions necessary to manage the tenant, reset passwords, or restore the removed roles. The attacker may retain access through a backdoor account they created or may simply leave the organization in a state of chaos.\n\nThe organization's only recourse is to contact the Microsoft Data Protection team via phone, a process that involves a lengthy identity and tenant ownership verification procedure before access can be restored.\n\n## Technical Analysis\nThis attack abuses legitimate administrative functionality. The key TTPs are:\n- **Valid Accounts: Cloud Accounts:** [`T1078.004 - Cloud Accounts`](https://attack.mitre.org/techniques/T1078/004/) - The entire attack hinges on first obtaining access to a legitimate Global Admin account.\n- **Cloud Administration Command:** [`T1098.001 - Cloud Administration Command`](https://attack.mitre.org/techniques/T1098/001/) - The attacker uses standard Entra ID portal functions or PowerShell commands (`Remove-MsolRoleMember` or similar) to modify role assignments.\n- **Impair Defenses: Disable or Modify Tools:** [`T1562.001 - Disable or Modify Tools`](https://attack.mitre.org/techniques/T1562/001/) - By removing all other administrators, the attacker is impairing the organization's primary defensive tool: its own IT staff.\n\n## Impact Assessment\n- **Business Paralysis:** Without administrative access, the organization cannot manage user accounts, respond to security alerts, configure applications, or manage compliance. Business operations can grind to a halt.\n- **Significant Downtime:** The process of regaining access through Microsoft support can be slow and arduous, leading to extended periods of administrative downtime and lost productivity.\n- **High Risk of Further Damage:** During the lockout period, the attacker may have free rein within the tenant to exfiltrate data, deploy malware via SharePoint, or send phishing emails from trusted internal accounts.\n- **Loss of Confidence:** Such an incident severely undermines confidence in the IT department's ability to secure critical cloud infrastructure.\n\n## Cyber Observables for Detection\nDetection must be real-time, as the attack can be executed in minutes.\n| Type | Value | Description |\n|---|---|---|\n| log_source | Microsoft Entra ID Audit Logs | The critical log event is `Remove member from role`. Monitor for this action, especially when it targets the 'Global Administrator' role. |\n| event_id | `Directory-Role-Member-Removed` | This is the specific activity name in the audit logs that corresponds to the malicious action. |\n| user_account_pattern | Anomalous login to a Global Admin account | A Global Admin account logging in from an unfamiliar IP, country, or device is a precursor and a critical alert. |\n\n## Detection & Response\n- **D3FEND: Domain Account Monitoring:** This is the most critical defense. Configure a high-priority, non-ignorable alert in your SIEM or Microsoft Sentinel that triggers *immediately* whenever a member is removed from the Global Administrator role. The alert should be sent to multiple people via multiple channels (email, SMS, Teams). This is a direct application of [`D3-DAM: Domain Account Monitoring`](https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring).\n- **Real-Time Alerts:** The alert rule should be something like: `AzureActivity | where OperationNameValue == 'Microsoft.Directory/roleManagement/directory/roleAssignments/delete' and properties_roleDefinitionId_g == '62e90394-69f5-4237-9190-012177145e10'`. This rule specifically targets the removal of the Global Admin role.\n- **Automated Response:** If possible, use a SOAR playbook to respond to the alert by attempting to re-add the user to the role or by temporarily disabling the account that performed the action.\n\n## Mitigation\n> **CRITICAL MITIGATION:** Implement Emergency Access or 'Break-Glass' accounts.\n\n- **Break-Glass Accounts:** Create two or more emergency access accounts that are excluded from all standard policies (like MFA requirements, conditional access). These accounts should have the Global Administrator role. Their credentials should be extremely complex and stored securely offline (e.g., in a physical safe). They are to be used *only* in an emergency, like this lockout scenario. This is the single most important mitigation and is a core part of [`M1026 - Privileged Account Management`](https://attack.mitre.org/mitigations/M1026/).\n- **Enforce MFA on All Admins:** All standard administrative accounts (and all users) must have phishing-resistant MFA enforced. This would have likely prevented the initial compromise.\n- **Privileged Identity Management (PIM):** Use Microsoft Entra ID PIM. This feature ensures that administrators do not have standing, persistent access. They must request and justify temporary elevation to the Global Admin role (Just-In-Time access), which is logged and can require approval. This dramatically reduces the window of opportunity for an attacker.\n- **Limit Number of Global Admins:** Adhere to the principle of least privilege. Most administrators do not need standing Global Admin rights. Use more granular roles (e.g., Exchange Admin, Teams Admin) for daily tasks and keep the number of Global Admins to a bare minimum (e.g., 2-4 plus break-glass accounts).","🔒 Tenant Lockout! Attacker compromises a Microsoft 365 admin account, then removes ALL other Global Admins, locking the org out of its own tenant. A critical reminder to use break-glass accounts & PIM. #Microsoft365 #EntraID #CyberAttack","An organization reports a complete Microsoft 365 tenant lockout after a malicious actor compromised an admin account and removed all Global Administrator role assignments, highlighting the need for break-glass accounts.",[13,14,15],"Security Operations","Cyberattack","Cloud Security","critical",[18,22,25],{"name":19,"type":20,"url":21},"Microsoft 365","product","https://www.microsoft.com/en-us/microsoft-365",{"name":23,"type":20,"url":24},"Microsoft Entra ID","https://www.microsoft.com/en-us/security/business/microsoft-entra",{"name":26,"type":27,"url":28},"Microsoft","vendor","https://www.microsoft.com/security",[],[31,37],{"url":32,"title":33,"date":34,"friendly_name":35,"website":36},"https://learn.microsoft.com/en-us/answers/questions/1709403/security-incident-global-administrator-access-com","Security Incident – Global Administrator Access Compromised / Removed","2026-04-13","Microsoft Learn","learn.microsoft.com",{"url":38,"title":39,"date":40,"friendly_name":41,"website":42},"https://www.bleepingcomputer.com/news/microsoft/microsoft-365-admins-locked-out-of-tenants-after-all-global-admins-removed/","Microsoft 365 admins locked out of tenants after all Global Admins removed","2026-04-14","BleepingComputer","bleepingcomputer.com",[44],{"datetime":45,"summary":46},"2026-04-13T00:00:00Z","User reports the tenant lockout incident on a Microsoft technical support forum.",[48,52,56],{"id":49,"name":50,"tactic":51},"T1078.004","Valid Accounts: Cloud Accounts","Initial Access",{"id":53,"name":54,"tactic":55},"T1098.001","Cloud Administration Command","Defense Evasion",{"id":57,"name":58,"tactic":55},"T1562.001","Disable or Modify Tools",[60,65,69],{"id":61,"name":62,"description":63,"domain":64},"M1026","Privileged Account Management","Implement emergency access ('break-glass') accounts and use Privileged Identity Management (PIM) for just-in-time access.","enterprise",{"id":66,"name":67,"description":68,"domain":64},"M1032","Multi-factor Authentication","Enforce phishing-resistant MFA on all administrative accounts to prevent the initial compromise.",{"id":70,"name":71,"description":72,"domain":64},"M1047","Audit","Configure and monitor high-priority, real-time alerts for any changes to Global Administrator role assignments.",[74,79],{"technique_id":75,"technique_name":76,"url":77,"recommendation":78,"mitre_mitigation_id":70},"D3-DAM","Domain Account Monitoring","https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring","To prevent a tenant lockout, real-time Domain Account Monitoring is non-negotiable. Organizations must configure a high-severity, real-time alert in their SIEM (like Microsoft Sentinel) that triggers the instant a user is removed from the 'Global Administrator' role in Microsoft Entra ID. This is not a routine event and should be treated as a critical security incident until proven otherwise. The alert should not just be an email; it should trigger multiple notification channels (SMS, phone calls, dedicated Teams/Slack channel) to a distribution list of security personnel and IT leadership. This ensures that even if the attack happens at 3 AM, key personnel are woken up and can respond immediately. The alert provides the crucial, time-sensitive signal needed to intervene before an attacker can remove all admins and achieve a full lockout.",{"technique_id":80,"technique_name":81,"url":82,"recommendation":83,"mitre_mitigation_id":61},"D3-PIM","Privileged Identity Management","https://d3fend.mitre.org/technique/d3f:PrivilegedIdentityManagement","The most effective proactive control against this attack is implementing Microsoft Entra Privileged Identity Management (PIM). PIM shifts from a model of 'standing access' to 'just-in-time' (JIT) access. Instead of having accounts that are always Global Admins, administrators are made 'eligible' for the role. To become a Global Admin, they must go through an activation process in PIM, which can require providing a justification, getting approval from another manager, and passing an MFA challenge. The role is then granted only for a limited time (e.g., 4 hours). This dramatically shrinks the window of opportunity for an attacker. If they compromise an account, it likely won't have standing Global Admin rights. And if they try to activate PIM, it creates a clear, auditable trail and can be subject to an approval workflow, giving defenders a chance to stop the attack before it even starts.",[],[86,92,97],{"type":87,"value":88,"description":89,"context":90,"confidence":91},"log_source","Microsoft Entra ID Audit Logs","The primary source for detecting this activity. Specifically, filtering for 'Remove member from role' operations.","Microsoft Sentinel, Azure Monitor, SIEM","high",{"type":93,"value":94,"description":95,"context":96,"confidence":91},"event_id","Directory-Role-Member-Removed","The specific activity name in Entra ID audit logs to monitor. An alert should fire if this activity targets the Global Administrator role.","SIEM alert rule",{"type":98,"value":99,"description":100,"context":101,"confidence":91},"other","Anomalous sign-in to a Global Admin account","A sign-in to a highly privileged account from a non-corporate IP, unfamiliar location, or using a non-compliant device is a critical precursor event that must be investigated.","Entra ID Identity Protection, SIEM",[19,103,104,105,15,106,107],"Entra ID","Azure AD","Tenant Lockout","Incident Response","Global Administrator","2026-04-14T15:00:00.000Z","NewsArticle",{"geographic_scope":111,"industries_affected":112},"global",[113,114,115,116,117,118,119,120,121,122,123,124],"Healthcare","Finance","Energy","Government","Technology","Manufacturing","Retail","Education","Transportation","Telecommunications","Critical Infrastructure","Defense",7,1776260635346]