Business tenant completely locked due to Microsoft Authenticator MFA – no accessible global admin

Question

Business tenant completely locked due to Microsoft Authenticator MFA – no accessible global admin

H 0

This is a business-blocking issue. We are currently unable to access essential Microsoft 365 services due to an MFA authentication loop.

We are a company based in Croatia using Microsoft 365 for daily business operations. Unfortunately, we are currently completely locked out of our tenant due to a Microsoft Authenticator MFA issue.

Our tenant was originally set up years ago and we never had a dedicated IT administrator managing it. At this moment no one in the company has working global admin access.

Current problem

When signing in to Microsoft services such as Teams and OneDrive (mobile) we are required to authenticate using Microsoft Authenticator.

The available options are:

Approve request

Send code

However, neither method works:

approval requests do not successfully complete

authentication codes are rejected

Because of this, we cannot sign in.

What we already tried

We have already attempted the following:

verified all account and security settings

tested multiple devices

tested multiple user accounts

tried different networks

worked with Microsoft Office customer support

Despite this, the issue could not be resolved.

Critical lockout loop

The logical solution would be to:

access admin settings

reset or remove Microsoft Authenticator / MFA

However, admin login itself requires Microsoft Authenticator, which is exactly the authentication method that currently fails.

This means we are stuck in a complete authentication loop and cannot access our own tenant to fix the issue.

Impact

This situation is now blocking our ability to use essential Microsoft services and directly affecting our business operations.

Questions

What is the official Microsoft process for recovering access to a Microsoft 365 tenant when there is no accessible global admin?

Is it possible for Microsoft to reset MFA / Microsoft Authenticator requirements at the tenant level in situations like this?

How can we initiate a tenant recovery procedure?

We can fully verify ownership of the company and tenant (domain ownership, billing records, company registration, etc.) if required by Microsoft support.

Any guidance would be greatly appreciated as this issue is currently preventing us from accessing critical services.

0 comments

2 answers

Your answer

Answer 1

Nam-D 3,395 Microsoft External Staff Moderator

Hello @H,

Based on the information you have shared, it appears that you are currently unable to access your tenant due to an MFA-related issue, and as a result, all Global Administrators are unable to sign in to Microsoft 365 services. In situations where access to the tenant has been lost, our Data Protection team can assist by using established tools and verification processes to confirm your identity and help restore secure access to your administrator account.

Please note that forum moderators have no control over user accounts, especially when it comes to logging in to your account, resetting your password, changing your access, etc.

Therefore, please try to find the related hotline number to call the frontline let them raise a ticket for you: Customer service phone numbers - Microsoft Support

Here are some tips and an example of a prompt to help you navigate the IVR more effectively:

(When you call the support number, you may hear an introduction of about 30 seconds such as "you can visit the link...". You can ignore this introduction and wait until you are presented with the options. Then press "1" as a business email user, and again "1" for technical help.)

In some regions, the initial interaction may be automated, so here’s a general idea of how the conversation might go to help you prepare:

What kind of problem are you experiencing?

Answer: Authenticator

What products do you use?

Answer: Office 365 for business

Is this for an education or company account?

Answer: For companies

Are you an administrator?

Answer: Yes

Are there any other administrators in your organization?

Answer: No. I am the only admin in my tenant

Do you need a... Service request?

Answer: Yes. I need to create a ticket. Please send me direct to the Data Protection Teams.

If your organization's Office 365 Business/Education subscription is from a partner or reseller, and the global administrator is unable to open a service request on your end, contact the reseller's support provider to help open a service request on behalf of you instead.

I hope this information helps you take the right steps to regain access to your account. If you have any updates or additional details, please feel free to leave a comment under this post. I’ll be happy to assist further within my scope.

H 0 Reputation points

2026-03-13T10:55:54.0066667+00:00

Thank you for trying to help, but as I said before, you can not call the cs in our area, the lines are dead (we tried calling cs in other eu countries - but the same reoccurs (they really gave their best to screw up their paying customers)). Do you maybe have an idea how to reach them by chat or e-mail?

Thank you
Nam-D 3,395 Reputation points Microsoft External Staff Moderator

2026-03-13T13:36:51.1733333+00:00
Hello @H,

Since the phone number structure is not working on your side, you can try set up a new trial tenant and submit your support request to the Microsoft Support team by:

Visit the Microsoft 365 Enterprise Plans page: Compare Office 365 Business Pricing and Plans | Microsoft 365.

Choose a plan and start a free trial: Select any of the available plans and click "Try for free" to begin the trial setup process.

Follow the guided setup: Complete the steps to create a new Microsoft account and a new tenant. This will be a separate and independent Microsoft 365 environment.

Once the new tenant is created, navigate to https://admin.microsoft.com/. Clicking on "Help & Support" on the bottom-right of the page.

When you open a support ticket, please make sure to turn off the Support Assistant (AI) in the help panel as shown in the screenshot, simply switch Support Assistant → Off, then type your issue description such as (losing access to account). Once the AI is off, the “Contact Support” button will appear normally, allowing you to submit a ticket directly. .

(Several customers have reported issues when the Support Assistant is turned on the system sometimes fails to display the “Contact Support” option)

Raise a support ticket: Describe your issue in detail. Crucially, you must clearly state that you are locked out of a different, pre-existing Microsoft 365 tenant where you are the only administrator. Provide the following information about your locked account:

Your administrator account email address for the locked tenant.

The domain name of your locked tenant

Any error messages you are receiving.

Details about the authentication issues you are experiencing.

Confirmation that you are the administrator of the locked tenant.

You can choose which method you prefer "Email" or "Phone".Finally, clicking on "Contact me".

Important notes:

This new trial tenant will not give you access to any of the data or settings in your original locked tenant. It is solely a temporary means to contact Microsoft support.

Be prepared for Microsoft support to ask for verification of your identity and administrative rights for the locked tenant.

The resolution time might be longer as you are contacting support from a different tenant.

Remember to cancel the trial subscription for the new tenant once your issue with the original account is resolved to avoid any unintended charges. You can typically do this within the Microsoft 365 Admin Center under "Billing" -> "Your products."

I hope Data Protection team can successfully revoke your access. If you need any further assistance or need help on any process, please feel free to reply.
H 0 Reputation points

2026-03-13T14:13:45.8566667+00:00

Thank you Nam-D, will try this approach for sure, it sounds reasonable and doable. Will make sure to give you feedback. Thanks!
Nam-D 3,395 Reputation points Microsoft External Staff Moderator

2026-03-13T15:10:54.8466667+00:00

Hello @H,Thanks for the update. I hope you’ll be able to access your tenant again very soon

Answer 2

The described situation matches a tenant lockout where no working global admin is available and MFA (Microsoft Authenticator) is blocking all access, including admin access. In this case, recovery must go through Microsoft support and the Microsoft Data Protection / Tenant Recovery process.

Based on the documented guidance and similar resolved cases, the path is:

Confirm there is truly no accessible global admin
- If there is any other global administrator or privileged admin who can sign in, that person can reset MFA for affected users:
  1. Sign in to the Microsoft Entra admin center (https://entra.microsoft.com).
  2. Go to Users → All users.
  3. Select the locked-out user.
  4. Open Authentication methods.
  5. Select Require re-register multifactor authentication.
    After this, the next sign-in will prompt the user to set up MFA again, breaking the loop.
- If no such admin exists or no admin can pass MFA, proceed to step 2.
Use the official Microsoft Data Protection / Tenant Recovery process
When there is only one global admin or no accessible global admin and MFA is blocking access, Microsoft’s Data Protection team has dedicated tools and procedures to verify identity and restore access. This is the official path in your scenario. To initiate this:
1. Call Microsoft support by phone for Microsoft 365 for business and request escalation to the Data Protection team for a tenant lockout / MFA issue. Use the country-specific number from:
  - Find Microsoft 365 for business support phone numbers by country or region.
2. When interacting with the automated system or agent, clearly state:
  - The issue is Authenticator / MFA.
  - The product is Office 365 / Microsoft 365 for business.
  - The account is a company (work) account.
  - Confirm that this is a tenant lockout, that no other global admin exists or is accessible, and that MFA is blocking all admin sign-in.
  - Request a service request and escalation to the Data Protection team for tenant recovery / MFA reset.
3. Be prepared to provide verification details such as:
  - Admin UPN / email address for the locked tenant.
  - Tenant domain name.
  - Billing information and subscription details.
  - Company registration and ownership documents.
  - Any other evidence requested to prove control of the organization and tenant.
The Data Protection team can, after verification, reset MFA / Authenticator requirements for the affected admin account(s) so that sign-in can succeed and new authentication methods can be registered. This is explicitly how similar “only global admin locked out by MFA” cases have been resolved.
If the tenant was purchased via a partner / reseller
- If a CSP or reseller manages the subscription and you cannot open a service request, contact the partner and ask them to open a Microsoft support request on your behalf.
- Partners with the appropriate GDAP roles (for example, Service Support Administrator) can raise support tickets for tenant lockout scenarios. See:
  - Granular delegated admin privileges (GDAP) introduction
  - Report problems on behalf of a customer
What Microsoft can do in this scenario
- When no global admin is available and MFA is blocking access, Microsoft support (via the Data Protection team) can:
  - Verify tenant ownership using billing, domain, and company documentation.
  - Reset MFA / Authenticator registration for the admin account(s) so that:
    - The admin can sign in with password only (temporarily), or
    - The admin is forced to re-register MFA on next sign-in.
- This is a controlled, manual process and only available through support after identity verification. It is not something that can be done self-service.
Future prevention once access is restored
After access is recovered, it is strongly recommended to:
- Configure at least two admin accounts, including emergency access (“break glass”) accounts that are excluded from MFA but protected with long, complex passwords, as described in:
  - Admin account security in Microsoft 365 for business
- Ensure there is at least one Privileged Authentication Administrator or another global admin who can reset MFA for others, per:
  - About administrator roles in the Microsoft 365 admin center
- Follow least-privilege guidance so that not all critical operations depend on a single global admin.

In summary:

The official recovery path when no global admin can pass MFA is to contact Microsoft 365 for business support by phone and have a ticket escalated to the Data Protection / Tenant Recovery team.
Yes, Microsoft can reset MFA / Authenticator requirements at the tenant/admin level in such verified lockout scenarios.
The tenant recovery procedure is initiated by opening a support request (directly or via a partner) and completing identity and ownership verification with the Data Protection team.

References:

H 0 Reputation points

2026-03-13T09:13:52.0866667+00:00

As usuall - thank you for nothing no help there - you are just instructing me to do what I have already done many times

In order to sign in and gain acess like u suggested in option 1. - you must use MS Authenticator app which DOES NOT WORK

option 2 . there is no functioning number of a cs - you can try calling sales deaprtment and to speak with a hman there but you end up transfered to some shady call centre with aggressive representatives demanding your mail and then sending you bounch of links (shady as well) and then demanding you to click on it while on the phone while becoming even more aggressive when they understand that you hesitate while trying to check if they are legit.

Share via

Business tenant completely locked due to Microsoft Authenticator MFA – no accessible global admin

2 answers

Your answer