![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 28.000000000000004%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
MFA cannot be bypassed or reset directly when there is only one global admin and that admin is locked out. Recovery must go through Microsoft’s Data Protection / tenant recovery process via support.
Use the following path, in order:
- Confirm there is truly no other admin
- If any other global admin exists in the tenant, that admin can reset MFA for the locked-out account:
- Admin signs in to Azure portal → Microsoft Entra ID → Users → select the locked-out user → Authentication methods → Require re-register multifactor authentication.
- On next sign-in, the locked-out admin is prompted to set up MFA again.
- If there is no other global admin, proceed to step 2.
- Contact Microsoft Data Protection team by phone Because sign-in is blocked, recovery must be done by Microsoft support after identity verification.
Use the global customer service phone numbers listed under Customer service phone numbers - Microsoft Support. When calling, navigate the IVR so the case is routed to the Data Protection / Tenant Recovery team:
Typical IVR flow (wording may vary by country):
- When asked what the problem is, say: Authenticator or lost account.
- When asked what product is used, answer: Office 365 for business / Microsoft 365 for business.
- When asked to confirm type, answer: Company account.
- When asked if an administrator, answer: Yes.
- When asked if there is another administrator, answer: No.
- When asked if a service request is needed, answer: Yes – I need to create a ticket and speak with the Data Protection team; I am the only global admin and I’m locked out due to MFA.
The Data Protection team will then:
- Verify identity and tenant ownership (they may request business documentation, domain ownership proof, etc.).
- After verification, reset MFA / security info or otherwise restore access to the global admin account.
- If phone support cannot be reached: create a temporary trial tenant to open a ticket If it is impossible to reach a live agent by phone, a workaround is to create a separate trial Microsoft 365 tenant solely to submit a support request:
- Sign up for a Microsoft 365 trial tenant (any business/enterprise trial plan).
- After the new tenant is created, go to the Microsoft 365 admin center (
https://admin.microsoft.com). - In the left navigation, go to Support → Help & support.
- Open a new support request and clearly state:
- This new tenant is only for contacting support.
- The issue is a tenant lockout on a different existing Microsoft 365 Business Basic tenant.
- The locked tenant’s domain name and the global admin UPN.
- That there is only one global admin, who is locked out due to lost Microsoft Authenticator and no other MFA methods.
- Request escalation to the Data Protection team / Tenant Recovery to reset MFA and restore access.
- Be prepared to provide documentation proving ownership of the locked tenant.
- After the original tenant access is restored, cancel the trial subscription on the temporary tenant to avoid charges.
- If the tenant is managed by a partner If a Cloud Solution Provider (CSP) or other Microsoft partner manages the subscription:
- Contact the partner’s support and ask them to open a Microsoft support ticket on behalf of the tenant for a tenant lockout / admin MFA reset.
- Partners with GDAP and appropriate roles can sometimes help directly with password/MFA issues; otherwise they escalate to Microsoft.
- Important constraints
- Microsoft for Nonprofits and forum moderators cannot bypass identity verification or directly change tenant ownership or admin MFA; all such actions go through Microsoft 365 support and Data Protection processes.
- Support agents cannot send verification codes or change account details without going through the formal verification process.
- There is no supported self-service way to “bypass” MFA when the only global admin is locked out and no alternative methods are configured; support-assisted recovery is mandatory.
Once access is restored, immediately:
- Add at least one additional global admin.
- Configure multiple MFA methods (Authenticator on more than one device, phone/SMS, security key, etc.).
- Enable and configure self-service password reset (SSPR) for admins.
References:
- Troubleshoot sign-in issues and account access problems
- Solve account access problems
- Common problems with two-step verification for a work or school account
- Tenant access recovery
- Preventing tenant lockouts
- Troubleshoot sign-in problems with Conditional Access
- I cant log in to my business account because it is requiring Authenticator app which I do not have - Microsoft Q&A
- Global Admin Locked out - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A