![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 43%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Because the account is a global admin and the only registered MFA method (Microsoft Authenticator on the old phone) is no longer available, the reset path depends on whether there is any other global admin in the tenant.
- If there is another global admin in the tenant
- That admin signs in to the Azure portal and opens Microsoft Entra ID.
- Go to Users → select the locked-out admin account.
- Open Authentication methods.
- Select Require re-register multifactor authentication.
- Next time the locked-out admin signs in, the sign-in flow will prompt to set up MFA again on the new phone (scan QR code in Microsoft Authenticator, etc.).
- If there is no other global admin (you are the only one)
In this case, only Microsoft’s Data Protection / Tenant Recovery process can restore access. Forum moderators or normal support agents cannot directly change MFA for the account. Use one of these supported options: Option A – Call Microsoft Data Protection via global support phone
- Call the appropriate number from Customer service phone numbers - Microsoft Support.
- When the IVR asks what the problem is, clearly indicate it is an Authenticator / MFA issue for Office 365 for business.
- When asked:
- Product: “Office 365 for business” (or Microsoft 365 for business).
- Account type: “Company account.”
- Are you an administrator?: “Yes.”
- Are there any other administrators?: “No.”
- Do you need a service request?: “Yes – I need the Data Protection team to help with admin MFA reset / tenant recovery.”
- The frontline agent should create a ticket and route it to the Microsoft 365 / Azure Data Protection team.
- The Data Protection team will verify identity and ownership of the tenant and then reset the admin’s MFA registration so a new device can be enrolled.
- Sign up for a new Microsoft 365 trial tenant (any business/enterprise trial).
- In that new tenant, go to the Microsoft 365 Admin Center → Support → Help & support.
- Open a support ticket explicitly stating:
- You are locked out of a different, existing tenant (
firmfoundationedu.onmicrosoft.com). - You are the only global admin.
- MFA is enforced and only Microsoft Authenticator was configured on a lost/changed phone.
- You need the Data Protection team to reset MFA for the global admin account on that original tenant.
- You are locked out of a different, existing tenant (
- Work with support/Data Protection as they verify identity and perform the MFA reset.
- After recovery, cancel the trial tenant to avoid charges.
Once Data Protection or another global admin has required MFA re-registration, sign in again with the global admin account; the sign-in flow will bypass the old Authenticator and instead prompt to configure Microsoft Authenticator on the new phone (or another MFA method).
References:
- You don't receive a text or voice call that contains the verification code for Microsoft Entra multifactor authentication
- Troubleshoot sign-in issues and account access problems
- Global Admin Locked out - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A
- Microsoft authenticator sending me into a spiral - Microsoft Q&A
- Use a screen reader to set up and troubleshoot multifactor authentication