![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 74%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
The deleted Azure MFA registration (QR code) means the existing Azure passkey/Authenticator method for the Entra ID account is no longer valid, so sign-in is stuck at the second factor and cannot complete. Because there is only one global administrator and no alternative verification method, this is effectively a tenant lockout and cannot be fixed self-service.
The only supported resolution in this situation is to have Microsoft Support and the Data Protection (DP) team reset MFA for the affected admin account so that a new strong authentication method can be registered.
Action path:
- Open a support case with Microsoft for the affected tenant (Azure / Entra ID) using any available channel that does not require signing in as that locked-out admin (for example, general support phone line or another Microsoft subscription sign-in if available).
- Clearly state that:
- This is a tenant lockout.
- There is only one global administrator.
- The only strong auth method (Authenticator QR/passkey) was deleted and no other methods are configured.
- Ask for the case to be escalated to the Data Protection team to reset MFA for the global admin account.
- Work with the DP engineer to complete identity verification (they will request business and identity details and may require back-and-forth verification).
- After DP completes review, they will reset/re-register MFA for the admin account so that sign-in can succeed again and a new Authenticator/passkey can be configured.
- Once access is restored, immediately:
- Add at least one additional strong authentication method (for example, another Authenticator registration, SMS/voice, or security key) for the admin account.
- Create a separate emergency access (break-glass) account with global admin rights and at least two independent auth methods, as described in “Manage emergency access accounts in Microsoft Entra ID,” so future lockouts can be avoided.
This pattern (tenant lockout with single global admin and no working MFA method) is handled only through Microsoft Support + Data Protection escalation; there is no portal or self-service recovery path once all admin MFA methods are unusable.
References:
- Troubleshoot sign-in issues and account access problems
- How Do I Regain Access to My Account After Losing Access to Microsoft Authenticator? (Urgent Request). - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Azure has blocked myphone number for SMS verification due to a “bad reputation” flag - Microsoft Q&A