Share via

Disaster Recovery Plan - How to recover from an Azure AD Tenant Hijack?

StipsitsMatt-9952 25 Reputation points
2024-02-12T18:22:31.1733333+00:00

I'm working on setting up a disaster recovery plan for rare and emergency cases in which an Entra ID / Azure AD tenant has been completely hijacked by a malicious actor. This would be for cases in which a bad actor had compromised a global administrator account, removed all other global admins and is in total control of the tenant.

What, if any, are possible solutions provided by Microsoft to recover from such events? Is the only solution to rely on contacting Microsoft Support?

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,768 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,631 questions
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 37,151 Reputation points Microsoft Employee
    2024-02-12T22:25:11.2833333+00:00

    Hi @StipsitsMatt-9952 ,

    Thanks for sharing this question! I'll answer this question in two parts - first with a preventative approach and second with a reactive approach.

    We have quite a bit of documentation that covers the preventative/proactive approach, and some of the best practices include:

    • Regularly documenting the state of your Microsoft Entra ID tenant and its objects.
    • Exporting audit logs to Microsoft Sentinel.
    • Using workbooks to track configuration changes
    • Using a least privilege model
    • Using Azure Backup to create long-lived, read-only data snapshots for use in recovery.
    • Implementing geo-redundant storage or another form of Data Replication to create real-time or near-real-time copies of live data in multiple data store replicas with minimal data loss in mind.
    • Using the Azure Site Recovery service to manage replication, failover, and failback
    • Creating a break-glass global admin account for emergency access.

    References:

    Microsoft Entra ID Disaster Recovery best practices

    Disaster Recovery Overview

    Emergency access management

    Once the damage is already done though, in the scenario you described where all global admin accounts have been hijacked, your options are more limited like you said. Your best options would be to:

    • Call the Azure Data Protection team to get unlocked. Their phone number is (866-807-5850). You will need to prove your ownership of the tenant.
    • Contact the technical support team via phone support.

    The options are restrictive as a security measure. Social engineering could be occurring by a malicious actor to gain unauthorized access to an Entra ID tenant, so steps are put in place to validate the tenant's ownership and ensure that only the rightful owners have access.

    Let me know if this helps and if you have further questions.

    If the information helped you, please Accept the answer. This will help us and improve discoverability for others in the community who may be researching similar questions.

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vincent Choy 5 Reputation points
    2025-03-10T08:11:37.9566667+00:00

    We have been looking at this seriously of late.

    The first solution is to prevent this from happening in the first place. Perhaps first start by not assigning Global Admins for everyday use.

    1. Setup global admin with a Fido Token and keep it in a safe, and use only when required
    2. Setup role based admins instead
    3. Further refinement can be added with upgraded Entra ID plans for example
      1. PIM that only authorizes Role Based Admins for on request, for a limited time
      2. Risk based conditional access
      3. Admins use dedicated hardened device when performing their roles.

    If takeover happens, then typically the threat actors will remove all admins and alternative access. So any emergency access account, delegated admin etc will typically be disabled.

    In such a case you will need to contact the data protection team. Have their contact handy in your DR plans.

    Keep document details of your Azure tenant information such as Tenant ID, Global Administrators, Licenses, Configurations, subscription invoices etc to be able to show proof of ownership.

    Do note that lock out can also occur under other circumstances, like a sole global admin or the MFA device not being available. In such a case a emergency access admin account authenticated via a FIDO key might come in handy.

    1 person found this answer helpful.
    0 comments
  2. Colin Micallef 0 Reputation points
    2025-03-07T17:27:36.2733333+00:00

    This has happened to us, do you have a European contact that might help us to unlock our account?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.