Locked Out of Microsoft 365 in the January Rush?
Lose access to Microsoft 365 during self-assessment season and your whole practice stops. Here is how lockouts happen, how slow recovery is, and how to prevent it.
- Microsoft 365
- Continuity
It is the last week of January. Your team is filing returns flat out, clients are emailing in a panic, and the deadline is hours away. Then the sign-in screen for Microsoft 365 stops co-operating. Email, shared client files, Teams chats and the documents you need to submit are all behind a login that will not let you in. The one person who can fix it is on annual leave, or has just swapped to a new phone and wiped the old one with the authenticator app still on it.
This is not a far-fetched scenario. It is one of the most disruptive things that can happen to a practice, and it tends to strike at the worst possible moment because that is when everyone is logging in from new devices, working late, and cutting corners.
How a Microsoft 365 lockout actually happens
Most practices run on Microsoft 365 for email, file storage and Teams. One or more accounts hold the Global Admin role, which is the keys to the whole tenant. The trouble starts when too few people hold those keys.
A typical chain of events looks like this:
- The practice has a single Global Admin, often the partner who first set everything up.
- That person uses an authenticator app on their phone as their second factor for sign-in.
- They get a new phone, restore it, and wipe the old one, but the authenticator does not carry over.
- Now the only account that can administer the tenant cannot pass multi-factor authentication.
When the sole Global Admin is blocked like this, there is no clever internal workaround. You cannot fix it from the settings or the admin portal, because reaching those areas needs the very sign-in that is failing. The account that could reset things is the account that is locked out.
It does not have to be a lost phone, either. The same dead end appears if your only admin leaves the firm, falls ill during the peak, or simply forgets which method they registered. The common factor is always the same: everything depended on one person, one device, one route in.
The realistic recovery path, and why it is slow
The good news is that you can get back in. The less good news is that it is rarely quick, and it is never something to be doing for the first time on deadline day.
Recovery means proving to Microsoft that you genuinely own the tenant, then asking the team that has the tools to reset your access. In practice that looks like:
- Phoning Microsoft business support directly rather than emailing. A clear phone call asking to be escalated to the team that can reset MFA after verifying ownership moves faster than a vague message.
- Having your evidence ready: company registration, billing records, domain verification and account history. The smoother you can prove ownership, the smoother the reset.
- As a fallback, some firms open a free trial tenant, sign in as its admin, and raise a support ticket from there explaining that the main tenant is locked.
The key point for a busy practice is timing. A generic email to support can sit unanswered for some time, and automated responses to vague requests are slower still. Even the phone route is measured in hours and days once you account for verification. None of that is a problem in a quiet week. In the last days of January, it can mean missed deadlines, unhappy clients and a very long evening.
This is why a lockout is not really an IT ticket. It is a business continuity issue, in the same family as a fire, a flood or a ransomware attack. The honest way to handle continuity is to prevent the outage, not to get good at recovering from it.
Prevention: treat this like a January risk, because it is
The fixes here are simple, cheap and mostly free. They just need doing before you need them. Think of this as part of the same planning you already do for the self-assessment peak.
Never rely on a single admin
Have at least two people who hold the Global Admin role, ideally a partner and one other trusted person. A three-person firm can do this just as easily as a twenty-person one. If one admin loses a phone or is away, the other can act immediately and you never touch Microsoft support at all.
Set up a break-glass account
A break-glass, or emergency, admin account is one you create, document carefully and then leave untouched for day-to-day work. Its credentials are stored securely and offline, and it exists purely so that someone can get in when normal accounts are blocked. Microsoft’s own guidance is to keep such an account available for exactly this kind of emergency. Set it up once, test it, and you have a safety net for the worst week of the year.
Register more than one way in for every admin
For each admin account, register several sign-in methods, not just one app on one phone. A backup phone number, a second authenticator and a security key all mean that losing a single device does not lock anyone out. Spend ten minutes reviewing this across the team and you remove the single most common cause of these lockouts.
Write down your recovery details
Keep a short, secure record of who your admins are, the recovery phone and email on each account, your tenant and domain details, and where your billing and company records live. Store it offline. If you ever do need to prove ownership to Microsoft, having this to hand turns a frantic scramble into a tidy phone call.
Tie it into your January planning
Most practices already prepare for the self-assessment peak: staff cover, client chasing, longer hours. Add IT continuity to that same checklist. A few weeks before the rush, confirm you have more than one admin, your break-glass account works, every admin has backup sign-in methods, and your recovery details are current.
It is the same instinct behind keeping good backups of your practice data and having a clear backup and disaster recovery plan. Access to your systems is just as much a part of resilience as the data itself, and the two go hand in hand when you move more of your practice into the cloud.
We see this often enough in North Wales practices that we build the safeguards in as standard as part of our managed IT support: more than one admin, a documented break-glass account, and recovery details kept current so nobody is ever one lost phone away from being shut out.
If you are not sure how your Microsoft 365 admin setup looks today, a free, no-obligation Practice IT Health Check will tell you exactly where you stand, well before January arrives.
Frequently asked questions
If our only admin is locked out, can we just reset it ourselves?
Usually not. When the sole Global Admin cannot pass MFA, there is no internal workaround through the portal or settings. Recovery means proving tenant ownership to Microsoft support, which takes time. The reliable fix is to have a second admin and an emergency account in place before it happens.
How long does it take to recover a locked Microsoft 365 tenant?
There is no guaranteed time. Phoning Microsoft business support and asking for the team that can reset MFA after verifying ownership is faster than a generic email, which can sit for weeks. Plan for days, not minutes, which is why prevention matters most during the January peak.
We are a small practice. Do we really need more than one admin?
Yes. Even a three-person firm should have at least two people who can administer Microsoft 365, plus a break-glass account. It costs nothing extra and means one person losing a phone or being on leave never takes your email and client files offline.
What recovery details should we record in advance?
Keep a record of who your Global Admins are, the recovery phone and email on each account, your tenant and domain details, and where billing and company records live. Store it securely offline so you can prove ownership quickly if you ever need to call Microsoft support.
Want this checked for your own practice?
Book a free Practice IT Health Check, a plain-English, no-obligation review of where your IT stands.
Book your free Health Check