![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 8%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMW%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Because the account is protected by Microsoft Entra multifactor authentication and there is no longer access to the Microsoft Authenticator app or any alternative MFA method, the admin account cannot be recovered or changed from within the tenant itself. The official recovery path depends on whether there is another global administrator.
- Check if there is another global administrator
- If any other global admin exists in the tenant, that admin can reset MFA for the locked-out admin:
- Sign in to the Azure/Microsoft 365 portal as a global admin.
- Open Microsoft Entra ID (Azure AD) and go to Users.
- Select the locked-out admin account.
- Open Authentication methods.
- Select Require re-register multifactor authentication and save.
- Next time the locked-out admin signs in, the portal will prompt to set up MFA again on the new phone.
- If there is no other global administrator (sole admin scenario) When the locked-out user is the only global admin, MFA reset must be handled by Microsoft’s Data Protection team via a support request. Forum moderators and normal support channels cannot directly change MFA or passwords for security reasons.
Use these supported options:
Option A – Call Microsoft global customer service (recommended)
- Call the appropriate number listed under Customer service phone numbers - Microsoft Support.
- When interacting with the IVR/agent, clearly state:
- The issue is with Microsoft Authenticator / MFA.
- The product is Office 365 / Microsoft 365 for business.
- The account is a company (work) account, not education or personal.
- The caller is the only global administrator for the tenant.
- Access to Microsoft Authenticator was lost due to a phone change, and MFA reset is required.
- Ask specifically to open a service request with the Data Protection / Tenant Recovery team for an admin MFA reset / tenant lockout.
- Be prepared to provide verification such as:
- Domain ownership (DNS or WHOIS details).
- Billing/subscription information.
- Tenant name and admin UPN.
- Any other identity or business verification they request.
Option B – Create a temporary trial tenant to open a ticket (fallback) If it is not possible to reach the correct support team directly by phone:
- Sign up for a new Microsoft 365 trial tenant (separate from the locked tenant).
- In that new tenant, go to the Microsoft 365 admin center and open Support → Help & support.
- Create a support request explaining:
- The new tenant is only for contacting support.
- The real problem is a lockout from a different existing tenant where the caller is the only global admin.
- Provide the locked tenant’s domain, admin UPN, and a clear description that an MFA reset / Data Protection escalation is needed.
- Work with support as they escalate to the Data Protection team, who will verify ownership and help restore access.
- If another admin exists but is not available If there is technically another global admin (for example, a partner or reseller) but that admin cannot be reached, treat the case as a sole-admin lockout and follow the Data Protection route above. If the subscription was purchased via a partner, that partner’s support can also open a service request with Microsoft on behalf of the tenant.
- General notes and limitations
- Microsoft support agents and community moderators cannot send verification codes, bypass MFA, or directly modify security info without going through the Data Protection process.
- Having the domain, DNS, billing data, and credentials is helpful, but the MFA reset still must be processed by Microsoft’s protected support workflow.
- Once the Data Protection team resets MFA or clears authentication methods, sign-in will prompt to register MFA again on the new phone (for example, by reconfiguring Microsoft Authenticator).
References:
- Common problems with two-step verification for a work or school account
- Can't use Azure Multi-Factor Authentication to sign in to cloud services after you lose your phone or the phone number changes
- Troubleshoot Microsoft verification code issues
- Use a screen reader to set up and troubleshoot multifactor authentication
- Global Admin Locked out - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Microsoft authenticator sending me into a spiral - Microsoft Q&A