Entra ID Admin Lockout / MFA Reset needed

Question

Entra ID Admin Lockout / MFA Reset needed

Thomas Justen 20

Hello everyone,

after migrating the authentication policies to Entra ID, we have lost administrative access to the Entra ID / Azure portal. The admin has multiple MFAs set up but only the MFA from the Microsoft Authenticator app is requested; the alternative third-party OTP cannot be used. How can we reset the admin account?

Regards
Tom

Vorname Nachname 20 Reputation points

2025-10-29T14:33:17.73+00:00

00000

Answer accepted by question author

0 additional answers

Your answer

Vorname Nachname 20 Reputation points

2025-10-29T14:33:17.73+00:00

00000

Answer 1

Raja Pothuraju 43,505 Microsoft External Staff Moderator

Hello @Thomas Justen,

Thank you for posting your query on Microsoft Q&A.

From your description, I understand that after migrating authentication method policies from legacy verification options to modern authentication methods, your global administrator is unable to log in to the tenant.

It appears the admin is being prompted to complete MFA using only the Microsoft Authenticator app, despite having multiple authentication methods configured.

Could you check if the admin has other authentication methods available by clicking "I can't use my Microsoft Authenticator app right now" on the login screen?

User's image

Below is a reference screenshot after selecting "I can't use my Microsoft Authenticator app right now".

User's image

Please verify if other registered methods are available to complete the login successfully.

If no other methods are available, could you share details about the policies implemented during the migration? Specifically:

Which authentication methods were enabled?

Were any external or Azure authentication methods enabled in the tenant?

User's image

If you’re unsure about the options selected during the migration, I’d be happy to connect offline to better understand the scenario.

We can connect offline and discuss further on this.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Thanks,
Raja Pothuraju.

Thomas Justen 20 Reputation points

2025-01-02T08:22:31.8933333+00:00

Hello Raja,
the other options are not available. In fact, we are not getting the Push Notification but the code in the authenticator is kind of accepted. After putting in the code, nothing is happening any more. If we put in the wrong code, the portal is complaining. We are stuck with the correct code but the portal / app etc. is not continueing. We are very sure that nothing will help us but a reset of the MFA of our admin.

The only MFA Method that is enabled is OTP / Third Party Software Auth Tokens. I assume we are running into that issue, because we have disabled Microsoft Authenticator. By fact, the Admin does have a Third Party OTP but this is no Option that is provided during the login. Other users of the environment can sucessfully log in with Third Party OTP. The Admin is the only account that had Microsoft Authenticator besides Third Party OTP, so from our view that seems to be a bug.

Is there any chance to trigger a reset for the admin account, we still have the password and also access to all other accounts in the environment.

Regards
Tom
Thomas Justen 20 Reputation points

2025-01-02T08:25:44.14+00:00

This is where we are stuck
Thomas Justen 20 Reputation points

2025-01-02T08:27:55.05+00:00
Raja Pothuraju 43,505 Reputation points Microsoft External Staff Moderator

2025-01-02T08:32:38.3733333+00:00

Hello @Thomas Justen,

Thank you for your feedback.

Let's take this offline.

We can connect offline and discuss further on this.

Thanks,
Raja Pothuraju.
Thomas Justen 20 Reputation points

2025-01-02T08:33:46.2533333+00:00

For some reason my first response vanished.

So, we deactivated Microsoft Authenticator in the Authentication Option and only have Third Party Software OATH Tokens enabled. The Admin does have a software OTP and also an Authenticator registered. For Some reason the Software OTP is no option but the OTP from the Authenticator seems to be accespted. The login is not continueing with the OTP from the Authenticator. After clicking muliple times the portals blocks us with the following information:
Raja Pothuraju 43,505 Reputation points Microsoft External Staff Moderator

2025-01-02T09:23:40.4533333+00:00

Hello @Thomas Justen,

Thank you for connecting offline.

As we have discussed on call, I see you have migrated from legacy auth methods to modern and after that you were unable to login into Azure Portal due to not enabling modern auth methods.

As you are the only global admin on the account and are blocked entirely, you can reach out to our support team. You can look into below article to get support numbers depending on your country.

https://support.microsoft.com/en-us/topic/global-customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2

or creating a ticket through a different account: https://learn.microsoft.com/en-us/microsoft-365/admin/get-help-support?view=o365-worldwide#phone-support

Create a ticket with Microsoft support team. Give them the tenant ID which is locked out in your description. Tell them that no admin account has access anymore and your partners also have no access anymore.

Once you create a ticket with support team you will have to work with our data protection team. You will have to first prove your identity against your tenant for security purpose. Post that this team will help you with help you in getting access to your tenant or unlock your account depending on your scenario.

Also, for the future, you can create an emergency access account (break glass) in Azure AD. This account will help prevent being accidentally locked out of your Azure Active Directory (Azure AD) organization because you can't sign in for any reason.

https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access

Let me know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Thanks,
Raja Pothuraju.

Share via

Entra ID Admin Lockout / MFA Reset needed

0 additional answers

Your answer