![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 32%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
The account is in an MFA “loop” because Microsoft Entra multifactor authentication is requiring Microsoft Authenticator, but that method is not completing successfully and there is no alternative method available. As the sole admin, self-service recovery is not possible; this must be reset by Microsoft support/Data Protection.
Use these steps depending on the situation:
- Check for any alternative verification methods
- If any other method (SMS, phone call, another Authenticator account, office phone) was configured, use it:
- On the sign-in page, when prompted for the code/approval, choose “Sign in another way” and select a different method if it appears.
- If an alternative method works, sign in and update MFA methods (add Microsoft Authenticator again, and add at least one backup method).
- If there is no “Sign in another way” link, there are no usable backup methods configured. Proceed to step 2.
- If an IT admin exists in the tenant (other than this account)
- Another global admin can reset MFA for the affected user in Microsoft Entra:
- Go to Microsoft Entra Admin Center → Users → All users → select the user.
- Open Authentication methods and choose Require re-register multifactor authentication.
- After this, the next sign-in will prompt to set up MFA again (scan QR code in Microsoft Authenticator, then add a backup method such as phone or SMS).
- If this is the only admin account (sole proprietor tenant)
- Microsoft’s Data Protection team must reset the admin’s MFA.
- Call Microsoft’s global customer service phone numbers (commercial support) and have a frontline agent open a ticket to the Data Protection team:
- When the IVR asks what the problem is, answer “Authenticator” or “lost access to Authenticator”.
- When asked what product, answer “Office 365 for business” / Microsoft 365 for business.
- Confirm it is a company account and that this account is the only administrator.
- Confirm that a service request is needed and ask to be routed to the Data Protection team to reset admin MFA.
- Data Protection will verify identity and then reset or re-register MFA for the admin account so that sign-in can complete and new methods can be configured.
- If support is hard to reach
- If phone support cannot be reached or keeps routing incorrectly, create a temporary Microsoft 365 trial tenant:
- Sign up for a Microsoft 365 trial (business/enterprise) to create a new tenant.
- Sign in to the Microsoft 365 Admin Center of this new tenant.
- Use Help & support to open a ticket and clearly state:
- This is a temporary tenant.
- The real tenant (with the custom domain) is locked because the only global admin is stuck in an Authenticator MFA loop.
- Provide the locked tenant’s domain and admin UPN, and request escalation to the Data Protection team to reset MFA on that tenant.
- After the original tenant is recovered, cancel the trial to avoid charges.
- Future prevention
- Once access is restored:
- Add multiple MFA methods (Microsoft Authenticator, SMS, phone call, possibly a second device).
- Ensure at least one additional global admin account or a “break-glass” account is configured with different MFA.
- Avoid deleting the Authenticator app or accounts; MFA apps must remain installed as long as access is required.
These are the supported paths to break the MFA loop when the sole admin is locked out; there is no self-service bypass for a business tenant in this state.
References:
- Frequently asked questions about Microsoft Entra multifactor authentication
- Use a screen reader to set up and troubleshoot multifactor authentication
- Common problems with two-step verification for a work or school account
- How to add your accounts to Microsoft Authenticator
- Troubleshoot problems with Microsoft Authenticator
- I cant log in to my business account because it is requiring Authenticator app which I do not have - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- How Do I Regain Access to My Account After Losing Access to Microsoft Authenticator? (Urgent Request). - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A
- Microsoft authenticator sending me into a spiral - Microsoft Q&A
- Microsoft Curate - Troubleshoot Multi-Factor Authentication (MFA)