![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 23%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
For a work or school account, this behavior means the account is configured so that Microsoft Authenticator is the only allowed multifactor method. When Authenticator is lost or on a new phone, the loop described occurs because there is no alternative verification method available.
The app itself cannot break this loop. The multifactor authentication (MFA) settings for the account must be reset by an administrator or by Microsoft support so that sign-in can proceed and Authenticator can be set up again.
Follow the path that matches the situation:
- If there is another admin in the organization
- Ask the Microsoft 365/Entra ID admin to:
- Go to Microsoft Entra admin center: https://entra.microsoft.com
- Navigate to Users → All users and select the affected user.
- Open Authentication methods.
- Select Require re-register multifactor authentication.
- After this is done, sign in again to the work account in a browser. MFA will be treated as first-time setup and will show a QR code or setup flow that can be scanned/used by the new Microsoft Authenticator app.
- If the affected user is an end user with no admin rights
- Contact the organization’s IT help desk or Microsoft 365/Entra admin and provide:
- Work email address.
- Description that Authenticator is the only MFA method and the device was changed or lost.
- Ask them to reset MFA as above (Require re-register multifactor authentication). After reset, sign-in will allow setting up Authenticator again on the new device.
- If the affected user is the only global admin for the tenant
In this case, only Microsoft’s Data Protection team can unlock the tenant:
- Call Microsoft support using the regional Customer service phone numbers.
- When the IVR/bot asks, indicate:
- Product: Office 365/Microsoft 365 for business.
- Account type: Company (not education).
- Role: Global administrator.
- Problem: Locked out due to Microsoft Authenticator / MFA.
- Ask explicitly for a ticket to be raised for the Data Protection team to help regain access to the global admin account and reset MFA.
- Be prepared to provide business and identity verification details.
If calling support is difficult, a temporary workaround (for admins) is:
- Create a new trial Microsoft 365 tenant from the public trial page.
- Sign in to the new tenant’s Microsoft 365 Admin Center.
- Use Help & support to open a support ticket.
- In the ticket, clearly state that the issue is with a different, existing tenant where the global admin is locked out by MFA and needs Data Protection team assistance.
- After resolution, cancel the trial to avoid charges.
- If this is a personal Microsoft account (not work/school)
For personal accounts, ensure there is at least one alternative sign-in method (SMS, email code, security key, or another authenticator app). If none is available and access is lost, recovery must be done through Microsoft’s account recovery and support flows; forum moderators and the app itself cannot bypass MFA.
The loop described is expected when Authenticator is configured as the only verification method and that method becomes unavailable. The only supported resolution is an MFA reset by an admin or Microsoft support so that a new device can be registered.
References:
- About Microsoft Authenticator
- Authentication methods in Microsoft Entra ID - Microsoft Authenticator app
- Common problems with two-step verification for a work or school account
- Microsoft authenticator sending me into a spiral - Microsoft Q&A
- I cant log in to my business account because it is requiring Authenticator app which I do not have - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A