Administrator Locked Out of Microsoft Entra ID Tenant (MFA Lost)

Question

Hello, I am the global administrator and creator of a Microsoft Entra ID (Azure Active Directory) tenant

I am currently unable to sign in to the Azure or Entra portals because the account is prompting for Microsoft Authenticator verification. Unfortunately, I don't have access to the Authenticator app and it was never set up.

I still have full access to the administrator email address and password and can verify ownership of the tenant by any method required rather than microsoft authenticator.

This is a critical issue as this is the only admin account in the tenant.

Thank you for your help.

---

Moved from: Microsoft 365 and Office | Access | For business | Other

Answer 1

Hi Vincenzo Di Marco,

MS is making MFA to all users mandatory security requirement across Microsoft 365 and Azure.

Written by CP,
🔐 What Microsoft Changed

Microsoft announced a staged rollout (2024–2025) that forces MFA for all Azure and Microsoft 365 sign‑ins, starting with:

• All admin accounts (global admin, Exchange admin, SharePoint admin, etc.)

• All Azure portal sign‑ins

• All Microsoft 365 tenants, including small businesses

The reason is simple: Microsoft’s own research shows MFA blocks over 99.2% of account‑compromise attacks https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication?tabs=dotnet

Answer 2

I am currently unable to sign in to the Azure or Entra portals because the account is prompting for Microsoft Authenticator verification.

Unfortunately, I don't have access to the Authenticator app and I lost my Phone with Authenticator App. How can I mange to gain access to the tenant?

Thank you

Answer 3

Hi @Vincenzo Di Marco,       

Thank you for posting your question in the Microsoft Q&A forum.     
I can see that you’re already receiving assistance from the other moderator, and I’d like to add some additional clarification to support the guidance provided. 

I’m really sorry to hear about your situation.  I understand you’re unable to log in to your global admin account. To assist you effectively, I’d like to clarify a few points:        

Do you have any other admin account that you can use to log in to Microsoft 365 Admin center?     

If you don't have any other admin account in this situation, the Microsoft Data Protection team has tools and processes in place to verify identity and regain access to administrator accounts.              

Please note that forum moderators have no control over user accounts, especially when it comes to logging in to your account, resetting your password, changing your access, etc.                             

Therefore, If you are the only administrator in your organization,  then you need to involve Microsoft data protection team. Please try to find the related hotline number to call the frontline let them raise a ticket for you: Customer service phone numbers - Microsoft Support              

In some countries, this is an automated conversation: First, when you call the hotline, they will ask you what kind of problem you are struggling with.               

Answer: Authenticator.               

A: What products do you use?               

B: Office 365 for business.               

Verification: Education or company account?               

B: For companies               

A: Are you an administrator?               

B: Yes.               

A: Are there any other administrators in your organization?               

B: No.               

A: I need one.... Service request?               

B: Yes               

If your organization's Office 365 Business/Education subscription is from a partner or reseller, and the global administrator is unable to open a service request on your end, contact the reseller's support provider to help open a service request on behalf of you instead.               

               

Alternatively, you can try set up a new trial tenant and submit your support request:              

1. Visit the Microsoft 365 Enterprise Plans page: Go to Compare Office 365 Enterprise Pricing and Plans | Microsoft 365.              
2. Choose a plan and start a free trial: Select any of the available plans and click "Try for free" to begin the trial setup process.              
3. Follow the guided setup: Complete the steps to create a new Microsoft account and a new tenant. This will be a separate and independent Microsoft 365 environment.              
4. Access the Microsoft 365 Admin Center: Once the new tenant is created, navigate to https://admin.microsoft.com/.              
5. Go to Support: In the left-hand navigation menu, click on "Support" and then "Help & support."              
6. Raise a support ticket: Describe your issue in detail. Crucially, you must clearly state that you are locked out of a different, pre-existing Microsoft 365 tenant where you are the administrator. Provide the following information about your locked account:               
   • Your administrator account email address for the locked tenant.              
   • The domain name of your locked tenant               
   • Any error messages you are receiving.              
   • Details about the authentication issues you are experiencing.              
   • Confirmation that you are the administrator of the locked tenant.              
7. Submit your ticket: Follow the prompts to submit your support request. You will likely receive a ticket number for tracking.              

Important notes:               

• This new trial tenant will not give you access to any of the data or settings in your original locked tenant. It is solely a temporary means to contact Microsoft support.              
• Be prepared for Microsoft support to ask for verification of your identity and administrative rights for the locked tenant.              
• The resolution time might be longer as you are contacting support from a different tenant.              
• Remember to cancel the trial subscription for the new tenant once your issue with the original account is resolved to avoid any unintended charges. You can typically do this within the Microsoft 365 Admin Center under "Billing" -> "Your products."      

I hope these steps will help resolve your issue. If you need further assistance, we are always here to help.                            
Thank you again for your time and understanding. While my initial response may not resolve the issue immediately, I’d like to gather more details about your situation so I can assist you more effectively.       

I really appreciate your patience, and I’m here to help. Looking forward to your response.              

Wishing you and your family a prosperous New Year.                                 

---

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 4

I would try this method first

🔐 Best Ways to Recover Access When Microsoft Authenticator Is Unavailable

🧩 1. If this is a Work/School (Microsoft Entra ID / Azure AD) Admin Account

Use the Microsoft 365 Admin Support Portal

You must open a support ticket via:

• https://admin.microsoft.com → Need help? → Contact support

But since you cannot sign in, you use:

• Microsoft 365 Support for Admins (public entry point) (USE THIS)
  https://support.microsoft.com/contactus
  → Choose Microsoft 365 for business
  → Select I can’t sign in
  → You will be routed to a support agent who can verify domain ownership manually.

Microsoft will verify you by:

• Domain DNS TXT record
• Billing information
• Proof of domain ownership
• Email verification to the admin address on file

This is the only path that works when you are the sole admin.

Have you got a backup from your Authenticator app which can be loaded into a new phone?