Recently, I embarked on a personal project to move my family’s Microsoft 365 accounts to a new tenant. The reasons for this change stemmed from licensing and a forward-looking approach to tenant naming. Along the way, I encountered two significant challenges: custom domain DNS management and phishing-resistant MFA requirements for admin access. Here’s what happened and how I resolved it, so you can avoid similar pitfalls.
The Custom Domain Conundrum
During the migration, I reached the step of transferring identities and mailboxes to the new tenant. Confidently, I removed the custom domain from the old tenant, not realizing it was managed by Microsoft 365 DNS. To validate a custom domain for a new tenant, you must update DNS records—a step I couldn’t complete since the DNS was no longer under M365’s control.
This required reconfiguring DNS management at my domain registrar. Although the process only took a few hours, email delivery was at risk during the transition. The lesson here: double-check DNS management settings before removing a custom domain to avoid downtime and complications.
The MFA Lockout Fiasco
After resolving the domain issue, I turned my attention to securing the new tenant. While configuring conditional access policies, I inadvertently enforced phishing-resistant MFA for admin accounts without ensuring I had a compatible MFA method set up. The result? I locked myself out of the tenant entirely.
Despite extensive Googling and a support case with Microsoft, I had to find my own solution. Here’s what worked: using a Windows Hello-compatible webcam to enroll in a phishing-resistant MFA method (facial recognition). My PC was already registered in EntraID, so I logged in with the admin account, set up Windows Hello, and regained access to the admin portal. From there, I adjusted policies, added backup admin accounts, and implemented a balanced MFA setup.
Key Takeaways
If you face a similar lockout, here’s a step-by-step guide:
- Ensure your Windows PC is registered in EntraID beforehand.
- Use a Windows Hello-compatible device (webcam, fingerprint reader, or hardware key).
- Log in with your admin account and set up a phishing-resistant MFA method.
- Log out and back in, then access the M365 admin portal to fix your conditional access policies.
If stricter policies prevent machine registration or login, this workaround won’t help. In such cases, Microsoft’s Data Protection Team is your best bet. Include detailed ticket information and request policy adjustments to regain access.
Final Thoughts
This experience underscored the importance of preparation and redundancy. Backup admin accounts, balanced policies, and familiarity with advanced MFA options are crucial. By sharing my journey, I hope to help others avoid the same frustration and downtime I encountered. Good luck, and remember: mistakes are just opportunities to learn and improve!
