Share via

Locked Out of Azure Portal after Mobile Device Upgrade

J 0 Reputation points
2026-06-06T19:34:45.0066667+00:00

I am having troubles logging into my Azure Tenant via the Azure Portal. The reason being, I switched to a new mobile device and now my authenticator app account that I would receive codes to is now in a stale/logged out state where I cannot receive the correct 6 digit code to successfully reauthenticate my authenticator app or authenticate into Azure by any other means. At this point, my old mobile device is gone, and I'm the only admin in my Azure Tenant. Furthermore, I still have billing information in the tenant that I'm locked out of Have I just indefinitely lost access to my Azure Tenant and everything in it or is there a way to get my authenticator app back to a functional state so that I may continue using my Azure Tenant?

Microsoft 365 and Office | Subscription, account, billing | For business | Android
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Teddie-D 17,130 Reputation points Microsoft External Staff Moderator
    2026-06-06T23:32:05.55+00:00

    Hi @J

    According to your situation, since you are the only Global Administrator and you are completely locked out from the tenant. So, only Microsoft Support team can help you in this MFA issue. You might need to contact us via phone service number: Customer service phone numbers - Microsoft Support. The agent will be able to create a ticket for you under the affected tenant and then transfer this ticket to Data Protection team who could help you to regain access.  

    When a call is made to support, the first step is to provide an automated voice response from AI. Be careful, you won't be able to speak to a support representative if you don't respond appropriately here. 

    Here's an example of a response that actually led to a support representative. Please refer to it. 

    Q. Can you tell me if you are calling as a home user who uses a product or service at home or a business user who uses it in your business to provide the best assistance? 
A.I am a business user. 
Q. Thank you. Can you give me the details of your inquiry? 
A. Login technical support. 
Q. First of all, can you tell me which products you are inquiring about today? 
A. Microsoft 365 business Standard。 
Q. Please wait a moment, I understand Microsoft 365. Are you calling about a new case or an existing one? 
A. New. 
Q. To receive phone support, your phone number must be associated with your Microsoft 365 admin profile. To do this, go to aka.ms/m365profile. Again, it aka.ms/m365profile . This can take 48 hours. In the meantime, you can go to aka.ms/m365profile and file a case online. If you prefer, you can also text the link to the phone number you are calling. What do you think? 
A. The phone number is already linked to the link. 
Q. Can you tell me about the products in your inquiry? 
A. Microsoft 365 Business Standard. 
Q. Are you a Global Administrator? 
A. That's right. 
Q. I'm sorry. I didn't understand. Are you a global administrator for your domain? 
A. Yes, I am a global administrator for the domain. 
Q. If you have any inquiries, you can contact a Microsoft representative. Are you sure? 
A. Yes. Please. 
Q. Yes, I understand. Please wait a moment.

    Please note that this team is always overwhelmed, so you might need to wait for them to call you, this should take 3-10 working days. I know that this is not a convenient solution to hear but it seems to be the only way, and it's recommended that you should have a secondary/backup Global Administrator to fix this issue on your own.    

    In case the phone line is not supportive, you can consider directly submitting a support request as a helpful workaround:    

    -Create a temporary Microsoft 365 tenant using a trial license: Go to Microsoft 365 Business Plans and Pricing and click Try for free to set up a temporary Microsoft 365 tenant with a trial license.    

    -Use this new account to sign in to the Microsoft 365 Admin Center and submit a support request on behalf of your primary (locked) account.   

    -Click Help & Support > then choose Create a support request.    

    Note: This method doesn't require you to use your new account for your business. Instead, it allows you to create a temporary global administrator account so you can submit a support request, as your original global administrator account is locked out due to issues with multi-factor authentication. The trial account is free for one month. Be sure to delete it after submitting your support request to avoid any automatic renewals or charges from Microsoft.     

    For further instructions, you can follow this guide: Get support - Microsoft 365 admin | Microsoft Learn   

    I appreciate your understanding and patience in this matter. While I truly want to assist you, this issue is beyond the scope of my role as a forum moderator. I do not have access to internal databases or the ability to escalate cases directly to Microsoft’s internal teams. Therefore, please kindly contact the Microsoft Support team for the most efficient help.   

    For future reference, cloud backup in Microsoft Authenticator helps transfer your account list to a new device, but it does not fully restore your multi-factor authentication (MFA) settings. For security reasons, you'll need to manually reconfigure MFA for each account. So, please also do not rely on cloud backup alone in the future.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".       

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

    Was this answer helpful?

  2. AI answer

    2026-06-06T19:35:02.07+00:00

    Access to the Azure tenant and its resources is not permanently lost, but self-service recovery is not possible when there is only one admin and that admin is locked out by MFA.

    Key points from the scenario and available options:

    1. Another admin can reset MFA (not applicable here)
      • In tenants where there is another global admin, that admin can reset the locked-out admin’s MFA by:
        • Signing in to the Azure portal → Microsoft Entra ID → Users → select the user → Authentication methods → Require re-register multifactor authentication.
      • This forces MFA re-registration on next sign-in.
      • In this case, there is no second admin, so this option is not available.
    2. When the only admin is locked out, Microsoft Data Protection / Tenant Recovery is required
      • If the locked-out user is the only administrator, recovery must be handled by Microsoft’s Data Protection team.
      • Forum moderators and normal support channels cannot directly change MFA or bypass verification.
      • The Data Protection team has tools and processes to verify identity and restore access for a sole admin who has lost MFA access (for example, after changing or losing a phone).
    3. How to reach the Data Protection team Primary method: Phone support
      • Call Microsoft’s global customer service phone number for support (commercial/Office 365/Azure for business).
      • When interacting with the automated system, clearly indicate:
        • The issue is with Authenticator / MFA.
        • The product is Office 365 for business / Azure.
        • It is a company (work) account.
        • The caller is an administrator.
        • There is no other administrator in the organization.
        • A service request is needed and the call should be routed to the Data Protection team (or Tenant Recovery) to reset MFA for the sole global admin.
      Alternative method: Create a temporary trial tenant to open a ticket
      • If reaching the right support team by phone is difficult, a workaround is:
        1. Sign up for a new Microsoft 365 or Azure trial tenant (a completely separate tenant).
        2. In that new tenant, go to the admin center and open a support ticket.
        3. In the ticket, clearly state:
          • The issue is lockout from a different, existing tenant where the caller is the only global admin.
          • Provide the locked tenant’s domain and admin UPN, error messages, and that MFA is blocking access after a phone change.
          • Request escalation to the Data Protection / Tenant Recovery team to reset MFA registration for that admin account.
      • This trial tenant is only a channel to contact support; it does not give access to data in the locked tenant.
    4. What the Data Protection team does
      • After verifying identity and ownership of the tenant, they can reset MFA for the locked-out admin.
      • Once MFA is reset, sign-in will prompt to register MFA again on the new device, allowing the Microsoft Authenticator app to be set up and access to the Azure tenant to be restored.
    5. Important notes
      • Billing information and tenant data are not deleted just because MFA is misconfigured or the phone is lost.
      • Recovery may take time because identity and admin rights must be verified carefully.
      • After access is restored, it is strongly recommended to:
        • Add at least one additional global admin.
        • Configure multiple MFA methods (Authenticator, SMS, phone call, security key) to avoid future lockouts.

    In summary, access is not indefinitely lost. The path forward is to contact Microsoft support and have the case escalated to the Data Protection / Tenant Recovery team so they can reset MFA for the sole admin on the tenant.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.