In order to perform internal admin takeover of a Microsoft 365 tenant, you first need to determine if the tenant is unmanaged or managed. One good way to determine this is to navigate to register for Microsoft 365 trial, using the Microsoft PowerBI (https://powerbi.microsoft.com/en-us/getting-started-with-power-bi/), by using your company custom DNS record (customer.com). After you sign-up, when you first login, you should visit https://office.com and check the available applications at the top left hand corner of the Office portal. If the "Admin" application is available, this means that this tenant is an unmanaged tenant. If the "Admin" application is not available, this means that this tenant is a managed tenant.
Admin takeover for unmanaged tenants #
When a Microsoft 365 tenant is unmanaged this means that the tenant has been created by using a self-signup process and all tenant's users are non-administrator users. One example of the self-service signup example is for Microsoft 365 services for the education sector: https://www.microsoft.com/en-us/education/products/office.
First you will need to register for a free trial of Microsoft PowerBI (https://powerbi.microsoft.com/en-us/getting-started-with-power-bi/), by using your company custom DNS record (customer.com). After you sign-up, when you first login, you should visit https://office.com and check the available applications at the top left hand corner of the Office portal. If the "Admin" application is available, this means that this tenant is an unmanaged tenant. Click on the "Admin" icon and the internal admin takeover wizard will be initiated. This will guide you step-by-step to takeover the administration of this tenant and become the first admin. For this, you will need to have access to your email ([email protected]), where customer.com is your custom DNS domain inside Microsoft 365. You should also have administrative access to the custom DNS domain authoritative DNS server for the corresponding DNS zone. The wizard will ask you to create a DNS TXT record to verify custom domain ownership. By completing this wizard, you will have gained administrative access to the Microsoft 365 tenant.
Admin takeover for managed tenants #
When a Microsoft 365 tenant is managed this means that the tenant has not been created by using a self-signup process and some of the tenant's active users are administrator users. In this case you should contact one of the tenant's administrators to request that you are added to the tenant as a new administrator. If all global administrators have forgotten their passwords, they can first try to self-reset their password by using the "forgot my password" link in the Microsoft 365 login page (https://admin.microsoft.com). If they have not registered for self-service password reset (SSPR), then the only way to perform an internal admin takeover is to contact the Microsoft Support team. You should clarify from the beginning that SSPR is not possible and you should ask for the Administrator Password Reset official form to be sent to you to be filled-in with administrator user contact details. Then the Microsoft Support data protection team should contact you by phone and email to verify your identity and send an administrator password reset form to the designated administrator.
Sources #
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-admin-takeover
