![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 46%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Because there is only one global administrator on the tenant and that account is locked behind Microsoft Authenticator, this is a tenant lockout scenario that must be handled by Microsoft’s Data Protection team.
Action steps:
- Collect proof of ownership
- Have business documentation ready (company details, domain name, admin UPN, subscription info, billing details, etc.). The Data Protection team will use this to verify identity and tenant ownership.
- Contact Microsoft by phone and request Data Protection / Tenant Recovery
- Use the global support phone numbers listed under Customer service phone numbers - Microsoft Support for business products.
- When the IVR/agent asks about the issue, clearly state:
- The problem is with Microsoft Authenticator / MFA.
- The product is Office 365 / Microsoft 365 for business.
- It is a company (work) account, not personal.
- The caller is the only Global Administrator and is locked out due to MFA on a lost/replaced phone.
- A service request is needed and the call must be routed to the Microsoft Data Protection team (sometimes called Tenant Recovery or Data Protection / Tenant Admin MFA reset).
- Work with the Data Protection team
- The Data Protection team has internal tools and processes to:
- Verify identity and tenant ownership.
- Reset or clear the MFA registration for the locked global admin.
- After they reset MFA, sign in again with the existing password and register new authentication methods (Authenticator on the new phone, plus backup methods such as SMS, phone call, or passkey/certificate-based authentication where applicable).
- The Data Protection team has internal tools and processes to:
- Prevent future lockouts
- Add at least one additional Global Administrator.
- Configure emergency access (“break glass”) accounts as described in the emergency access guidance so the tenant is not dependent on a single admin or single device for MFA.
This scenario (single global admin locked out due to MFA on a new phone) cannot be resolved self-service; escalation to Microsoft Data Protection via support is required.
References:
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Troubleshoot sign-in issues and account access problems
- Preventing tenant lockouts
- Manage emergency access accounts in Microsoft Entra ID
- Planning for mandatory multifactor authentication for Azure and other admin portals
- Microsoft authenticator sending me into a spiral - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A