![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 46%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Error 500121 indicates a problem completing Microsoft Entra multifactor authentication (MFA). In this scenario, the Microsoft Authenticator app is not providing a usable verification method and there is no way to reach support from within the tenant because sign-in is blocked.
Use the appropriate path based on whether there is another admin in the tenant.
- If there is another Global Admin in the tenant
That admin can reset MFA so the affected account can re-register the Authenticator app:
- Another Global Admin signs in to the Azure portal / Microsoft 365 admin portal.
- Open Microsoft Entra ID → Users.
- Select the affected user account.
- Go to Authentication methods.
- Select Require re-register multifactor authentication.
- Save the change.
- The affected user signs in again and is prompted to set up MFA from scratch on the Authenticator app (and/or add a phone number or other methods).
- If the locked-out account is the only Global Admin
In this case, self-service recovery from the portal is not possible. The tenant must be recovered by Microsoft’s Data Protection / Tenant Recovery team via a support request from outside the locked tenant. Use one of these options: Option A – Call Microsoft support (recommended)
- Call the regional Microsoft customer service phone number listed in the “Customer service phone numbers - Microsoft Support” page.
- When prompted by the automated system, clearly indicate:
- The issue is with Authenticator / MFA.
- The product is Office 365 / Microsoft 365 for business.
- It is a company / work account.
- Confirm being the administrator and that there is no other administrator.
- Request creation of a service request with the Data Protection (Tenant Recovery) team to reset MFA for the tenant admin account.
- Be prepared to provide tenant details (admin sign-in name, domain, business information) so Microsoft can verify identity and ownership.
- Sign up for a new Microsoft 365 trial tenant (separate from the locked tenant).
- In the new tenant, go to the Microsoft 365 admin center → Support → Help & support.
- Open a support ticket explaining that:
- There is a different, existing tenant where the only Global Admin is locked out due to MFA / Authenticator issues.
- MFA is required and the only registered method was Microsoft Authenticator, which is no longer accessible.
- Request escalation to the Data Protection team to reset MFA registration for the original tenant’s admin account.
- Provide the locked tenant’s admin UPN, tenant domain, and any error messages (including 500121) in the ticket.
- After recovery, cancel the trial tenant if it is no longer needed.
These are the supported recovery paths when the Authenticator app does not provide a code and sign-in is blocked, especially for single-admin tenants.
References:
- Troubleshoot Azure Multi-Factor Authentication issues
- Can't use Azure Multi-Factor Authentication to sign in to cloud services after you lose your phone or the phone number changes
- I need to reset my mfa methods - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- Global Admin Locked out - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A