I am the only global admin for my MS365 account. I lost access to my Microsoft Authenticator app because I changed phones without realizing that the MFA was linked to the device, not the app. I have no backup MFA methods. I am locked out and need an MFA reset for the global admin account. Every time I log in, the only options are to use Microsoft Authenticator. I am in this constant loop which has no solution. I need a reset.

I do not have a second Global Admin or break-glass account in the tenant, so I cannot reset the authentication methods myself.

Could you please advise on how to reset or remove MFA for a Global Admin when the Authenticator app is lost and no other MFA method exists?

I can provide all details. I have security phone number and email also active from where i changed the password of admin account, however, when i try to log in, it ends up asking authenticator code, which is not possible now.

I need urgent solution, because i am facing issue in emails of one user as below.
Not able to send any email as it showing below email as bounce back..
This message couldn't be delivered because the sending email address was not recognized as a valid sender. The most common reason for this error is that the email address is, or was, suspected of sending spam. Contact the organization's email admin for help and give them this error message.

Hi Gabriel,
Is the contact microsoft support works 24*7 ?
contact Microsoft support directly via phone

Hi @Saurab Kumar

As noted in https://learn.microsoft.com/en-us/microsoft-365/admin/get-help-support?view=o365-worldwide#phone-support, billing support for Microsoft 365 for business products and services is provided in English from 9 AM-5 PM, Monday through Friday. Technical support is available in English 24/7, with some local language support depending on the region. You may want to try calling first. If the call experience wasn’t as expected, consider creating a trial tenant (if applicable) and contacting support again through that Admin center via Help & Support.

Hello @Saurab Kumar

I would like to first clarify that this is a user-to-user support forum, and we are not Microsoft support. Moderators here do not have backend access and cannot directly intervene in Microsoft products or perform escalations. We can only provide technical guidance and best-practice recommendations based on reported issues.

For the question you raised, please first refer to the response provided by AI as it covered all the scenario. However, I would like to share additional context based on my experience and feedback from other users. For locked tenant scenarios like this, the usual approach involves two methods:

• The first option is to contact Microsoft support directly via phone. When a call is made to support, the first step is to provide an automated voice response from AI. Be careful, you won't be able to speak to a support representative if you don't respond appropriately here. Here's an example of a response that actually led to a support representative, please refer to it:

• If calling support does not work, you may consider creating a trial tenant and submitting a support ticket from there on behalf of the affected (locked) tenant. Please remember to cancel the trial subscription afterward to avoid any potential charges. Note: This method doesn't require you to use your new account for your business. Instead, it allows you to create a temporary global administrator account so you can submit a support request, as your original global administrator account is locked out due to issues with multi-factor authentication.

For detailed steps, kindly refer to the referenced thread: Denied global administrator access although I am the only admin

Once you have successfully created the ticket, please send me the ticket number via private message so I can help track the case.

---

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Hi Gabriel, Is the contact microsoft support works 24*7 ?
contact Microsoft support directly via phone

To reset or remove MFA for a single Global Admin when Microsoft Authenticator is lost and no other MFA method exists, the only supported path is to work with Microsoft Support/Data Protection so they can verify identity and reset MFA on the tenant admin account.

Because there is no second Global Admin or break-glass account, self-service recovery is not possible. The normal “Require re-register multifactor authentication” flow in the Azure portal requires another admin and cannot be used in this scenario.

Use the following approach:

1. Contact Microsoft Support by phone (primary method)
   • Call the Microsoft Global Customer Service phone number for the region. Use the flow described in the context:
     • When the IVR asks what the problem is, answer: “Authenticator”.
     • Product: “Office 365 for business”.
     • Account type: “For companies”.
     • When asked if there is another administrator: “No”.
     • Confirm that a service request is needed and ask to be routed to the Data Protection / Tenant Recovery team to reset MFA for the only Global Admin.
   • Clearly state:
     • Locked out of the only Global Admin account due to lost Authenticator.
     • No other MFA methods are configured and cannot access the admin portal.
     • Need an MFA reset / re-registration for the tenant admin.
   • Be prepared to provide tenant and identity verification details (admin UPN, domain, business details, contact phone/email, etc.).
2. If phone support is hard to reach, create a temporary trial tenant to open a ticket
   • Sign up for a new Microsoft 365 trial tenant as described in the context.
   • In the new tenant’s Microsoft 365 Admin Center, go to Support → Help & support and open a ticket.
   • In the ticket, clearly explain that:
     • The issue is with a different existing tenant where the account is the only Global Admin and is locked out by MFA.
     • Request escalation to the Data Protection team to reset MFA for that original tenant’s Global Admin.
   • This trial tenant is only a channel to reach support; it does not give access to data in the locked tenant.
3. What Microsoft will do
   • The Data Protection team will verify ownership and admin rights using the information provided.
   • After verification, they can reset or clear MFA for the Global Admin so that sign-in is possible again and new authentication methods can be registered.
4. After access is restored
   • Sign in as Global Admin and:
     • Re-register Microsoft Authenticator and add additional MFA methods (phone call, SMS, etc.).
     • Create at least one additional Global Admin or break-glass account with separate MFA methods to avoid future lockouts.
   • Once admin access is restored, the email bounce/backscatter issue for the user can be investigated and fixed from the Exchange/Microsoft 365 admin portals.

This scenario (only admin locked out by MFA after phone loss/change) is explicitly handled by Microsoft through the Data Protection / Tenant Recovery process; there is no portal-side self-service workaround when no other admin or MFA method exists.

---

References:

• Can't use Azure Multi-Factor Authentication to sign in to cloud services after you lose your phone or the phone number changes
• Can't set up MFA because five devices are already registered to use an authenticator app
• Common problems with two-step verification for a work or school account
• Use a screen reader to set up and troubleshoot multifactor authentication
• How Do I Regain Access to My Account After Losing Access to Microsoft Authenticator? (Urgent Request). - Microsoft Q&A
• Global Admin Locked out - Microsoft Q&A
• I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
• Requesting a Tenant Admin MFA Reset - Microsoft Q&A
• Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A