Share via

Sole Global Admin Locked Out - Error AADSTS50020 - "User account does not exist in tenant 'Microsoft Services'"

Muhammad Junaid Ahmad 0 Reputation points
2026-05-11T09:38:09.24+00:00

image.png
image.png

Issue Summary: I am the sole owner and only administrator for my company. I have a Microsoft Partner account for publishing apps in the Microsoft Store. However, I am now locked out of my own admin permissions.

The Problem: When I attempt to log in to the Partner Center or Azure Portal with my email (******@geofathom.com), I am redirected to the "Microsoft Services" tenant (ID: f8cdef31-a31e-4b4a-93e4-5f571e91255a) instead of my company tenant.

I am receiving the following errors:

  • AADSTS50020: My account from identity provider 'live.com' does not exist in tenant 'Microsoft Services'.
  • AADSTS50058: A silent sign-in request was sent but no user is signed in.
  • The system tells me I "do not have the right" to manage user permissions, but there is no other admin in my company to grant them to me.

Environment Details:

  • Primary Email: ******@geofathom.com
  • Company Name: GEOFATHOM
  • Potential Admin Account: ******@onmicrosoft.com (I cannot access this account/password).

Request: As I am the sole Global Administrator, I am in a "Tenant Lockout" situation. I need this case escalated to the Data Protection Team to verify my domain ownership via DNS and restore my Global Admin rights to my primary account.

Issue Summary:

I am the sole owner and only administrator for my company. I have a Microsoft Partner account for publishing apps in the Microsoft Store. However, I am now locked out of my own admin permissions.

The Problem:
When I attempt to log in to the Partner Center or Azure Portal with my email (******@geofathom.com), I am redirected to the "Microsoft Services" tenant (ID: f8cdef31-a31e-4b4a-93e4-5f571e91255a) instead of my company tenant.

I am receiving the following errors:

  • AADSTS50020: My account from identity provider 'live.com' does not exist in tenant 'Microsoft Services'.
  • AADSTS50058: A silent sign-in request was sent but no user is signed in.
  • The system tells me I "do not have the right" to manage user permissions, but there is no other admin in my company to grant them to me.

Environment Details:

  • Primary Email: ******@geofathom.com
  • Company Name: GEOFATHOM
  • Potential Admin Account: ******@onmicrosoft.com (I cannot access this account/password).

Request:
As I am the sole Global Administrator, I am in a "Tenant Lockout" situation. I need this case escalated to the Data Protection Team to verify my domain ownership via DNS and restore my Global Admin rights to my primary account.

Microsoft Security | Microsoft Entra | Other
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Muhammad Junaid Ahmad 0 Reputation points
    2026-05-11T12:53:28.9633333+00:00

    "Ensure that when prompted to choose an account, the work account (business/organizational) is selected rather than the personal Microsoft account, as described in the sign-in guidance for Partner Center accounts."

    but when login there comes only one option is this personal account.

    how can i start from begging so that i this time very careful and don't select personal account?

    Was this answer helpful?

    0 comments
  2. Muhammad Junaid Ahmad 0 Reputation points
    2026-05-11T12:51:11.9833333+00:00

    "Ensure that when prompted to choose an account, the work account (business/organizational) is selected rather than the personal Microsoft account, as described in the sign-in guidance for Partner Center accounts."

    I remember when login first it asked but the option was just its personal account i was not able to continue until i select the only option which says this is personal account

    Was this answer helpful?

    0 comments

  3. AI answer

    2026-05-11T09:39:01.17+00:00

    This scenario matches a tenant lockout where the only Global Administrator has lost access and sign-in is failing with AADSTS50020 due to being directed to the Microsoft Services tenant instead of the correct company tenant.

    Based on the provided guidance, resolution requires direct engagement with Microsoft Support and the Data Protection team; it cannot be fixed self-service when there is no other Global Administrator.

    Follow these steps:

    1. Confirm account/tenant context
      • Error AADSTS50020 indicates the account from identity provider live.com does not exist in the target tenant. This typically happens when a personal Microsoft account is being used where an organizational account is expected, or when sign-in is occurring against the wrong tenant.
      • Ensure that when prompted to choose an account, the work account (business/organizational) is selected rather than the personal Microsoft account, as described in the sign-in guidance for Partner Center accounts.
    2. Treat this as a tenant lockout with a sole Global Admin
      • This is explicitly a “tenant lockout” scenario where all Global Administrators (in this case, a single one) have lost access due to sign-in/MFA/account issues.
      • In such cases, Microsoft’s Data Protection team is the only channel that can verify identity and restore access when no other Global Admin exists.
    3. Contact Microsoft Data Protection / Microsoft 365 or Azure support by phone
      • Use the regional phone numbers listed under Microsoft 365 for business support to reach Microsoft support: see “Find Microsoft 365 for business support phone numbers by country or region”.
      • When calling, clearly state:
        • This is a tenant lockout.
        • There is only one Global Administrator.
        • The admin is locked out and cannot access the tenant or Partner Center.
        • The account is being redirected to the Microsoft Services tenant and failing with AADSTS50020.
      • Ask the frontline agent to create a service request and route it to the Microsoft 365/Azure Data Protection team (also referred to as Tenant Recovery/Data Protection) for admin account recovery.
      • Be prepared to verify ownership (for example, via domain/DNS verification and business documentation) as part of the Data Protection team’s process.
    4. If direct phone routing is difficult, use a temporary tenant to open a ticket
      • If unable to reach the correct support path directly, create a new trial Microsoft 365 or Azure tenant (separate from the locked tenant) as described in the guidance:
        • Sign up for a trial subscription and complete tenant creation.
        • Sign in to the new tenant’s admin center.
        • Open a support ticket from that tenant and explicitly state that the issue concerns a different, existing tenant where the sole Global Admin is locked out.
      • In the ticket, provide:
        • The locked tenant’s primary domain (e.g., geofathom.com) and any onmicrosoft.com name.
        • The Global Admin username(s) for the locked tenant.
        • The exact error codes (AADSTS50020, AADSTS50058) and that sign-in is being redirected to the Microsoft Services tenant.
        • Confirmation that there is no other Global Admin.
      • Request escalation to the Data Protection team for tenant lockout recovery.
    5. If the issue is also tied to Partner Center / Microsoft AI Cloud Partner Program
      • For Partner Center sign-in issues where the only Global Admin is locked out, the same Data Protection process applies. The Partner Center documentation explicitly points to contacting the Azure or Microsoft 365 Data Protection team when the only Global Admin cannot sign in.
    6. After recovery: prevent future lockouts Once access is restored, follow the tenant lockout prevention guidance:
      • Ensure at least two Global Admin accounts with different credentials and MFA methods.
      • Create emergency “break-glass” accounts excluded from Conditional Access policies and with strong passwords.
      • Configure and test Self-Service Password Reset (SSPR) and document recovery procedures.

    These steps align with the documented process for sole-admin tenant lockouts and ensure the case is correctly escalated to the Data Protection team for verification and restoration of Global Admin rights.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.