![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 54%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELR%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Because the Azure sign-in for this account is tied only to Microsoft Authenticator and there is no other MFA method or another global admin, recovery must go through Microsoft’s Data Protection / Tenant Recovery process. This cannot be fixed purely by self-service.
Use these steps, based on the documented and moderator-recommended paths for similar lockout situations:
- Since this is effectively a tenant lockout with no other global admin, contact Microsoft support by phone and ask specifically for the Data Protection (or Microsoft 365/Azure Data Protection) team to perform an admin/MFA reset for the tenant.
- Use the regional phone numbers listed under Customer service / Support for Business Products (see references) and state clearly:
- This is an Azure / Microsoft 365 for business tenant.
- The account is the only global admin.
- MFA is enforced and the only method was Microsoft Authenticator, which is no longer usable.
- You are completely locked out of the Azure portal and cannot open a ticket from within the tenant.
- Ask them to open a service request with the Data Protection team for tenant admin MFA reset / tenant recovery.
- Use the regional phone numbers listed under Customer service / Support for Business Products (see references) and state clearly:
- Be prepared to pass ownership verification.
- The Data Protection team will follow strict procedures to verify that this personal Microsoft account is indeed the global admin for the tenant and that you are the legitimate owner (they may ask for tenant details, domain, billing info, etc.).
- Once verified, they can reset MFA registration or otherwise restore access so that you can sign in again and reconfigure your authentication methods.
- If frontline support routes incorrectly (for example, to consumer-only support), insist that this is a business/tenant lockout and that you need escalation to the Data Protection / Tenant Recovery team, as documented for similar “only global admin locked out” cases.
- After access is restored, immediately:
- Add at least one backup MFA method (phone, SMS, alternate authenticator, security key) via https://aka.ms/mysecurityinfo.
- Consider enabling passwordless sign-in only after multiple methods are configured, to avoid future lockouts.
If phone support in the region is difficult to reach, one documented workaround in similar cases is to create a temporary new Microsoft 365/Azure trial tenant, use that admin portal only to submit a support ticket, and in that ticket request Data Protection assistance for the original tenant. However, the primary and recommended path remains calling support and asking for Data Protection.
References:
- Troubleshoot sign-in issues and account access problems
- Troubleshoot problems with Microsoft Authenticator
- Can't set up MFA because five devices are already registered to use an authenticator app
- Global Admin Locked out - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Microsoft Authenticator app doesn't show 6-digit OTP code - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A