![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 32%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELA%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Because the global admin is locked out by MFA and the Authenticator app no longer works, the MFA registration must be reset by one of the supported recovery paths.
Use the option that matches the situation:
- If there is another Global Administrator in the tenant
- Another global admin signs in to the Microsoft Entra admin center.
- Go to Users → All users and select the locked-out global admin account.
- Open Authentication methods.
- Select Require re-register multifactor authentication.
- The next time the locked-out admin signs in, the portal will prompt to set up MFA again (re‑pair Microsoft Authenticator or another method).
- If there is no other Global Administrator (only one global admin on the tenant)
In this case, tenant recovery must be handled by Microsoft’s Data Protection team via a support request:
- Call Microsoft using the appropriate Customer service phone numbers for the region.
- When connected to support/IVR, clearly state:
- The issue is a tenant admin MFA lockout.
- The caller is the only global administrator for the tenant.
- A reset of MFA registration for the global admin is required.
- Ask to be routed to the Data Protection / Tenant Recovery team.
- Follow the verification steps requested by the Data Protection team (they will validate tenant ownership and then reset the admin’s MFA methods so a new Authenticator registration can be completed).
- If no phone support is reachable As an alternative (from the Q&A guidance), create a temporary Microsoft 365 trial tenant, sign in as its admin, and open a support ticket from that tenant’s admin center requesting help from the Data Protection team to recover the original tenant where the global admin is locked out.
Until MFA is reset by another global admin or by Microsoft Support/Data Protection, the locked-out global admin will not be able to sign in, even if the password is correct.
References:
- Common problems with two-step verification for a work or school account
- You don't receive a text or voice call that contains the verification code for Microsoft Entra multifactor authentication
- "Activation failed" error when you try to set up Azure Multi-Factor Authentication
- Troubleshoot sign-in issues and account access problems
- Global Admin Locked out - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- I need to reset my mfa methods - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A
- Microsoft authenticator sending me into a spiral - Microsoft Q&A