Good to know. I'm only dealing with 7 M365 tenants regularly and we have "break glass" accounts in each one (not tied to Customer's SSO, MFA unrelated to other admins, email address outside the tenant) to try to minimize the possibility of getting locked out, but I know it's always a possibility.

Moving the MX for the domain and limping along from backups is my worst-case contingency but given that there's no place other than M365 to restore the backups to it isn't a very good strategy.