![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 71%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Hello Marthine Ruitenberg,
This is not a basic authentication issue. You’re stuck in an MFA method enforcement loop caused by Conditional Access / Security Defaults combined with the “Block weaker/legacy authentication prompts” setting.
Even though Microsoft Authenticator is registered, Entra ID is enforcing a stronger authentication requirement and is attempting to prompt for additional methods (phone/alternate). Because those prompts are blocked, the sign‑in can’t complete, resulting in a full admin lockout.
The message “we are not accepting new preview customers” is expected — the Per‑User MFA (Preview) blade is deprecated and no longer accepts new tenants. MFA is now enforced only via Security Defaults or Conditional Access, so this message is unrelated to the lockout.
Unfortunately, there is no self‑service recovery once all Global Admins are blocked and no break‑glass account exists. The only supported resolution needs to forward to the data protection team.
Once access is restored, Microsoft strongly recommends maintaining at least two break‑glass admin accounts excluded from MFA/CA to prevent this scenario in the future.