Microsoft Security | Microsoft Entra | Microsoft Entra ID

Question

@Raja Pothuraju

Hello Microsoft Community,

I’m the only Global Administrator on our Microsoft Entra ID tenant.

I recently attempted to disable MFA from the Admin Portal after not receiving push notifications from Microsoft Authenticator. However, after making this change, I was completely locked out of my account.

I can no longer receive push notifications or verification codes on the Microsoft Authenticator app. I do not have access to any alternate MFA methods (SMS, email, or backup admin).

I have the password to the admin account, but I am in a circular loop of trying to authenticate the access. Even trying to log a ticket, I need to get into the account to do it but I can't authenticate the access.

If needed, I can provide subscription or invoice information and verify my identity in any other way necessary.

@Raja Pothuraju I have seen you help other individuals on this issue. Can you please help me connect with the Data Protection team too?

This is a critical issue as I am the only admin on the tenant, and I am now unable to manage or access our Microsoft 365 services.

Thanks,

Laszlo

Answer 1

This scenario is a tenant lockout where the only Global Administrator is unable to complete MFA and there is no alternate method or backup admin available. Recovery requires Microsoft’s Data Protection / Tenant Recovery process via a support ticket; it cannot be fixed from the portals alone.

Follow these steps:

1. Confirm there is truly no other Global Admin
   If there is any other Global Administrator in the tenant, that admin can reset MFA for the locked-out account:
   • Sign in to the Microsoft Entra admin center.
   • Go to Users → All users → select the locked-out admin account.
   • Open Authentication methods.
   • Select Require re-register multifactor authentication.
     Next sign-in for that admin will prompt for fresh MFA setup.
2. If there is no other Global Admin (your case)
   This is a tenant lockout with a single Global Admin. In this situation, Microsoft’s Data Protection team must verify identity and reset MFA/restore access. To reach them:
   1. Call Microsoft support using the official business support phone number for the region:
      Use Customer service phone numbers - Microsoft Support as listed in the context.
   2. When calling, clearly state:
      • This is a business / company Microsoft 365 or Entra ID tenant.
      • You are the only Global Administrator.
      • You are locked out due to MFA (Authenticator not working, no alternate methods).
      • You need a service request and escalation to the Data Protection / Tenant Recovery team to reset MFA / restore access.
   3. Be prepared to provide:
      • Admin UPN (sign-in email) for the locked tenant.
      • Tenant domain name.
      • Subscription or invoice details and any business verification documents requested.
   In some regions, the phone system uses an automated assistant. Typical flow (adapt as needed):
   • Problem type: say “Authenticator” or “Multi-factor authentication”.
   • Product: “Office 365 for business” or “Microsoft 365 for business”.
   • Account type: “Company account”.
   • Are you an admin?: “Yes”.
   • Any other admins?: “No, I am the only Global Administrator.”
   • When asked about a service request: “Yes, I need to create a ticket and speak with the Data Protection team.”
3. If the tenant was purchased via a partner/reseller
   If the Microsoft 365 subscription came through a CSP/partner, and the Global Admin cannot open a ticket:
   • Contact the partner’s support and ask them to open a Microsoft support request on behalf of the tenant for tenant lockout / MFA lockout for only Global Admin.
4. Optional: create a temporary trial tenant to open a ticket
   If direct phone support is difficult to reach, another pattern used in similar cases is:
   • Create a new, separate Microsoft 365 trial tenant (this does not give access to the locked tenant’s data).
   • Sign in to the Microsoft 365 admin center of the trial tenant.
   • Go to Support → Help & support and open a ticket describing:
     • That the issue is with a different existing tenant.
     • You are the only Global Admin on that locked tenant.
     • You are MFA-locked out and need Data Protection / Tenant Recovery assistance.

Once Data Protection verifies ownership, they can reset MFA or otherwise restore access to the Global Admin account so tenant management can resume.

After recovery, configure:

• At least two Global Admin accounts with different credentials and MFA methods.
• Emergency/break-glass accounts excluded from Conditional Access and with strong passwords, as recommended in the tenant lockout guidance.

---

References:

• You don't receive a text or voice call that contains the verification code for Microsoft Entra multifactor authentication
• Preventing tenant lockouts
• Tenant Lockout: Scenarios & Next Steps
• Common problems with two-step verification for a work or school account
• Frequently asked questions about Microsoft Entra multifactor authentication
• Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
• Global Admin Locked out - Microsoft Q&A
• I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
• Microsoft authenticator sending me into a spiral - Microsoft Q&A
• Microsoft Authenticator app doesn't show 6-digit OTP code - Microsoft Q&A