Global Admin Reset Required - Locked out of my business account

Question

Hi,

I’m hoping someone can help me untangle this.

I have an active Microsoft 365 Business Standard subscription (purchased 24 Feb 2026 – I have the Order ID and billing confirmation).

Today I:

• Moved away from GoDaddy-managed Microsoft 365

Had GoDaddy remove the NETORG tenant ([Moderator note: company name removed].onmicrosoft.com)

Attempted to attach my custom domain (studiohayes.design) to my direct Microsoft tenant

Changed my admin sign-in from @onmicrosoft.com to @studiohayes.design

Since then I cannot access the Microsoft 365 admin centre.

When I try to sign in with: [Moderator note: personal information removed]@studiohayes.onmicrosoft.com

I am blocked by MFA (Authenticator error 500121).

When I contact Microsoft support, they tell me I am “not the Global Admin” for the tenant.

I need to understand:

How do I determine which tenant my paid Business Standard subscription is actually assigned to?

How do I identify which account is currently assigned the Global Administrator role?

What is the correct process for Tenant Admin Recovery when MFA is blocking the only admin account?

Could the recently removed GoDaddy NETORG tenant still be causing tenant-routing issues?

Important details:

Domain: studiohayes.design

Original GoDaddy tenant: [Moderator note: company name removed].onmicrosoft.com (removed approx. 2 hours ago)

I may have accidentally created a trial tenant during troubleshooting

Error codes seen: 500121, AADSTS50020

I can provide Order ID and proof of billing

At this point I cannot access the admin centre to verify roles or users.

What is the correct recovery path in this situation?

Thank you.

Answer 1

Dear @deirdre hayes,

Welcome to Microsoft Q&A. 

Thank you for sharing the details, and I’m really sorry that you’re facing this situation.

Based on the information you provided, I understand that: You have an active Microsoft 365 Business Standard subscription, and your custom domain was moved from a GoDaddy (NETORG) tenant, the admin sign-in was changed to the custom domain, access to the Microsoft 365 admin center is now blocked due to Microsoft Authenticator / MFA errors (such as error 500121). You are currently unable to confirm or manage the Global Administrator role.

In general, the suggestions provided earlier by the AI are correct for this type of scenario, and you can safely follow the recommended approach.

Please understand that this forum is a user-to-user support community, and for security reasons we don’t have access to accounts, tenants, or billing systems. That’s why contacting Microsoft’s official business support is required in this case.

This issue is not caused by the subscription itself. Your paid Microsoft 365 Business Standard subscription remains active.

The problem occurs because the only Global Administrator account is blocked by MFA, or the sign-in is being routed to the wrong tenant after the domain and tenant changes.

In this situation, there is no supported self-service method to reset MFA or regain admin access through the forum or admin center.

Please try to find the related hotline number to call the frontline let them raise a ticket for you: Customer service phone numbers - Microsoft Support 

In some countries, this is an automated conversation: First, when you call the hotline, they will ask you what kind of problem you are struggling with. 

Answer: Authenticator. 

A: What products do you use? 

B: Office 365 for business. 

Verification: Education or company account? 

B: For companies 

A: Are you an administrator? 

B: Yes. 

A: Are there any other administrators in your organization? 

B: No. 

A: I need one.... Service request? 

B: Yes 

If you still cannot reach to agent, there is still a workaround, you might consider registering for a new tenant by signing up for a trial subscription via this link Compare All Microsoft 365 Plans | Microsoft. This would allow you to create a new tenant following the provided prompts. Once set up, you can access the admin console of the new tenant and submit a support ticket requesting to speak with the Data Protection team on behalf of your previous tenant.  

Please remember to cancel the trial subscription once your issue is resolved to avoid any unintended charges.  

I understand that this entire process can feel long and complicated, and I truly appreciate your patience while working through it. These steps are in place to protect the security of your account, so I hope you can understand why they are required. I sincerely hope you’ll be able to regain access to your account soon. If you need help at any point, or if you have any questions during the process, please feel free to reach out, I’m always here and happy to assist.  

Thank you again for your understanding and patience. 

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".    

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Based on the described symptoms (MFA lockout, possible extra trial tenant, prior GoDaddy NETORG tenant removal, and support saying the signed-in account is not Global Admin), this is a tenant lockout / tenant ownership issue that must be handled by Microsoft’s Data Protection / Tenant Recovery teams. The admin center cannot be used until access is restored.

Below is the supported recovery path, aligned with Microsoft guidance in similar scenarios.

1. Determine which tenant owns the subscription and domain

Because admin access is currently blocked, tenant discovery and confirmation must be done with Microsoft support:

1. Call Microsoft business support and ask to be routed to the Microsoft 365 Data Protection team:
   • Use the regional phone number listed under “Find Microsoft 365 for business support phone numbers by country or region”.
   • Clearly state:
     • There is an active Microsoft 365 Business Standard subscription.
     • The custom domain is studiohayes.design.
     • The former GoDaddy tenant has been removed.
     • A trial tenant may have been created during troubleshooting.
   • The Data Protection team can look up which tenant the paid subscription and domain are currently associated with and confirm whether there is an unmanaged or duplicate directory involved.
2. If the domain is attached to an unmanaged or wrong tenant, the Data Protection team can guide through:
   • Claiming or taking over an unmanaged directory if the domain is verified in the registrar but not in the intended tenant.
   • Regaining access to a tenant owned by the organization when locked out.

Relevant behavior is documented under “How can I take over unmanaged directories owned by my organization?” and “How can I regain access to a tenant owned by my organization?” where global admins and the Data Protection team are explicitly involved in claiming or recovering tenants.

2. Identify who is Global Administrator

Without admin center access, only Microsoft support (Data Protection team) can:

1. Inspect the tenant that owns studiohayes.design and the Business Standard subscription.
2. Confirm which account(s) currently hold the Global Administrator role.
3. If support is telling that the current sign-in is not a Global Admin, this indicates either:
   • The sign-in is landing in a different tenant (for example, a newly created trial tenant), or
   • The Global Admin role is assigned to a different account in the correct tenant.

Support must verify identity and then either:

• Reset credentials of an administrator account, or
• Help claim ownership of the tenant if there is no accessible Global Admin.

This is explicitly listed as a function of the Data Protection team when a tenant owner is locked out.

3. Correct process when MFA blocks the only admin account

When the only Global Administrator is locked out by MFA and no other admin can reset MFA, the documented path is:

1. Involve Microsoft Data Protection / Tenant Recovery:
   • Call the Microsoft 365 business support number for the region.
   • When prompted by IVR, indicate:
     • The issue is with “Authenticator” / MFA.
     • The product is “Office 365 for business / Microsoft 365 for business”.
     • It is a company account.
     • The caller is an administrator and there is no other administrator.
     • A service request is needed and must be routed to the Data Protection team.
2. Data Protection team actions (per guidance in similar MFA lockout cases):
   • Verify identity and tenant ownership using:
     • Official business documentation.
     • Domain ownership for studiohayes.design.
     • Subscription/order information (Order ID, billing proof).
   • Once verified, they can:
     • Reset credentials of an administrator account, and/or
     • Reset or clear MFA registration so the admin can sign in and re-register Microsoft Authenticator.

This is the same pattern used when a sole Global Admin loses access due to a lost/stolen phone or broken Authenticator and cannot open a ticket from the locked tenant.

4. Impact of the removed GoDaddy NETORG tenant and possible trial tenant

The symptoms (AADSTS50020, “not the Global Admin”, and MFA error 500121) are consistent with:

• Sign-in being routed to a different tenant than expected (for example, a new trial tenant created during troubleshooting), or
• The domain or UPN change causing the account to exist in more than one tenant with different roles.

The official guidance for such cases is:

1. Review domains in the registrar that are not verified to the intended tenant. If a domain paid for in the registrar is not part of the home tenant, it may be associated with an unmanaged or different directory.
2. Global administrators (or, in this case, the Data Protection team acting after verification) can:
   • Claim or take over unmanaged directories.
   • Help regain access to the correct tenant.

Because the GoDaddy NETORG tenant was recently removed and a trial tenant may exist, tenant routing confusion is likely. Only support can see the full tenant mapping and correct it.

5. Concrete recovery steps to follow now
6. Gather evidence:
   • Order ID and billing confirmation for Microsoft 365 Business Standard.
   • Domain ownership proof for studiohayes.design (registrar details).
   • Any emails showing tenant IDs or previous admin invitations.
   • Error codes: 500121 and AADSTS50020.
7. Call Microsoft 365 business support and request the Microsoft 365 Data Protection team:
   • Use the phone number from “Find Microsoft 365 for business support phone numbers by country or region”.
   • Clearly state:
     • Locked out of the only Global Admin account by MFA.
     • Cannot access the admin center or open a ticket from the tenant.
     • GoDaddy NETORG tenant was removed and a trial tenant may have been created.
     • Need tenant ownership verification and MFA reset / admin credential reset.
8. Work with Data Protection:
   • Allow them to confirm which tenant owns the subscription and studiohayes.design.
   • Have them reset the admin’s MFA/credentials or help claim the correct tenant.

Once access is restored:

• Sign in to the correct tenant’s admin center.
• Verify that studiohayes.design is attached to the intended tenant only.
• Confirm Global Admin assignments and add at least one additional Global Admin.
• Configure a break-glass emergency access account to prevent future lockouts.

---

References:

• Discover your Microsoft cloud footprint FAQ
• Preventing tenant lockouts
• Troubleshoot sign-in issues and account access problems
• Tenant access recovery
• Requesting a Tenant Admin MFA Reset - Microsoft Q&A
• Global Admin Locked out - Microsoft Q&A
• I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
• Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
• Microsoft authenticator sending me into a spiral - Microsoft Q&A
• How do I find my Microsoft 365 admin?
• Find the administrator for your work or school account