![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 4%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELG%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
- The recommended recovery process when all known Global Administrators are lost is to work with Microsoft support and the Data Protection team to re-establish administrative access. The general pattern is:
- Confirm that the tenant is indeed associated with the company by checking domains and unmanaged/managed directory status. If the domain is associated with an unmanaged directory, use the Administrator Takeover process to claim it as a Microsoft Entra administrator. For unmanaged directories, follow the Admin takeover of an unmanaged directory guidance referenced from the checklist for tenant setup and GDAP management and the partner-center guidance on Administrator Takeover.
- If the tenant is a normal managed tenant (as in this case) and there is a complete loss of Global Admin access, open a support ticket and have the case escalated to the Microsoft Data Protection team. They have tools and processes to verify identity and regain access to administrator accounts when there is only one or no accessible admin.
- Be prepared to provide proof of ownership such as official business documentation and domain ownership, as described in the tenant access recovery and cloud footprint guidance.
- Microsoft can restore administrative access, but only after completing identity and ownership verification through the standard support and Data Protection processes. DNS ownership alone is not sufficient by itself; it is one of several signals used. The Data Protection team can:
- Reset credentials of an administrator account.
- Help claim ownership of normal tenants when the organization is locked out.
- If the tenant administration portal cannot be accessed, the correct support channels are:
- Open a Microsoft 365/Azure support ticket as the tenant administrator (if any access remains) or via another tenant or partner:
- From the Discover your Microsoft cloud footprint FAQ: when locked out of a tenant, open a support ticket and the Data Protection team can help reset an admin account or help claim ownership.
- From the nonprofit tenant access recovery guidance: use the Microsoft 365 support page and select the option for being unable to sign in or access the tenant.
- If no admin portal is accessible at all, use the global customer service phone numbers to reach Microsoft support and request a service ticket for tenant lockout and admin recovery. The Q&A examples show this as the path when the only admin is locked out (e.g., due to Authenticator/MFA issues or tenant inactivity).
- If the tenant was created via a Microsoft partner, contact the partner so they can open a support request on behalf of the organization.
- Open a Microsoft 365/Azure support ticket as the tenant administrator (if any access remains) or via another tenant or partner:
Once support is engaged, clearly state that:
- The organization still owns the domain used by the tenant.
- All known Global Administrators are unavailable or unknown.
- There is a production app registration that must be updated.
Support will then route the case to the Data Protection team to perform identity verification and, if successful, restore or create a Global Administrator so that redirect URIs and other app registration settings can be updated.
References:
- Discover your Microsoft cloud footprint FAQ
- Tenant access recovery
- Preventing tenant lockouts
- What to do if your only admin has left the company
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- 7 Day Old Azure Account: AADSTS5000225: This tenant has been blocked due to inactivity. - Microsoft Q&A
- Tenant inaccessible due to inactivity - Microsoft Q&A