Admin Account Locked Out Due to Lost Microsoft Authenticator Access

Question

Hello Microsoft Support Team,

I am the Global Administrator for our Microsoft 365 tenant, but I am currently locked out of my account due to multi-factor authentication (MFA).

I recently upgraded my phone and no longer have access to my previous device where Microsoft Authenticator was configured. Unfortunately, I did not enable cloud backup for the Authenticator app, and I no longer have the old phone. When I attempt to sign in, the system only asks for verification through Microsoft Authenticator, and there are no alternative authentication methods available.

Since I am the only Global Administrator for this tenant, I am unable to reset my MFA settings or re-register the Authenticator app from the admin portal.

I would greatly appreciate your assistance in verifying my identity and helping reset or remove the MFA requirement for my administrator account so that I can regain access and configure MFA again on my new device.

Please let me know if you require any information to verify my identity or ownership of the tenant.

Thank you for your assistance.

Answer 1

Hi @Abi Nguyen,

Thank you for posting your question in the Microsoft Q&A forum.      

I’m very sorry to hear about your situation. Regarding that you can't log in to your admin account. 

If you don't have any other admin account in this situation, the Microsoft Data Protection team has tools and processes in place to verify identity and regain access to administrator accounts.    

Please note that forum moderators have no control over user accounts, especially when it comes to logging in to your account, resetting your password, changing your access, etc.    

Therefore, If you are the only administrator in your organization,  then you need to involve Microsoft data protection team. Please try to find the related hotline number to call the frontline let them raise a ticket for you: Customer service phone numbers - Microsoft Support 

*(Important Note: Depending on your country or region, when you call the support number, you may hear an introduction of about 30 seconds such as "you can visit the link...". You can ignore this introduction and wait until you are presented with the options. Then press "1" as a business email user, and again "1" for technical help.)     

In some countries, this is an automated conversation: First, when you call the hotline, they will ask you what kind of problem you are struggling with.    

Answer: Authenticator.    

A: What products do you use?    

B: Office 365 for business.    

Verification: Education or company account?    

B: For companies    

A: Are you an administrator?    

B: Yes.    

A: Are there any other administrators in your organization?    

B: No.    

A: I need one.... Service request?    

B: Yes    

If your organization's Office 365 Business/Education subscription is from a partner or reseller, and the global administrator is unable to open a service request on your end, contact the reseller's support provider to help open a service request on behalf of you instead.    

Alternatively, you can try set up a new trial tenant and submit your support request:   

1. Visit the Microsoft 365 Enterprise Plans page: Go to Compare Office 365 Enterprise Pricing and Plans | Microsoft 365.   
2. Choose a plan and start a free trial: Select any of the available plans and click "Try for free" to begin the trial setup process.   
3. Follow the guided setup: Complete the steps to create a new Microsoft account and a new tenant. This will be a separate and independent Microsoft 365 environment.   
4. Access the Microsoft 365 Admin Center: Once the new tenant is created, navigate to https://admin.microsoft.com/.   
5. Go to Support: In the left-hand navigation menu, click on "Support" and then "Help & support."   
6. Raise a support ticket: Describe your issue in detail. Crucially, you must clearly state that you are locked out of a different, pre-existing Microsoft 365 tenant where you are the administrator. Provide the following information about your locked account:    
   • Your administrator account email address for the locked tenant.   
   • The domain name of your locked tenant    
   • Any error messages you are receiving.   
   • Details about the authentication issues you are experiencing.   
   • Confirmation that you are the administrator of the locked tenant.   
7. Submit your ticket: Follow the prompts to submit your support request. You will likely receive a ticket number for tracking.   

When you open a support ticket, please make sure to turn off the Support Assistant (AI) in the help panel.  

Several customers have reported issues when the Support Assistant is turned on  the system sometimes fails to display the “Contact Support” option.  

As shown in the screenshot, simply switch Support Assistant → Off, then type your issue description.  Once the AI is off, the “Contact Support” button will appear normally, allowing you to submit a ticket directly.  

Important notes:    

• This new trial tenant will not give you access to any of the data or settings in your original locked tenant. It is solely a temporary means to contact Microsoft support.   
• Be prepared for Microsoft support to ask for verification of your identity and administrative rights for the locked tenant.   
• The resolution time might be longer as you are contacting support from a different tenant.   
• Remember to cancel the trial subscription for the new tenant once your issue with the original account is resolved to avoid any unintended charges. You can typically do this within the Microsoft 365 Admin Center under "Billing" -> "Your products."   

I hope these steps will help resolve your issue. If you need further assistance, we are always here to help.     

Thank you again for your time and understanding. While my initial response may not resolve the issue immediately, I’d like to gather more details about your situation so I can assist you more effectively.    

I really appreciate your patience, and I’m here to help. Looking forward to your response.   

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".    

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread

Answer 2

Because the only registered MFA method is Microsoft Authenticator on a device that is no longer available and there are no other global admins who can reset MFA, this is a tenant lockout scenario that must be handled by Microsoft support/Data Protection.

Use the following supported paths:

1. If there is any other global admin
   • Another global admin can reset the MFA registration so the account can set up Authenticator again:
     1. Sign in to the Azure portal as a global admin.
     2. Open Microsoft Entra ID → Users.
     3. Select the locked-out admin account.
     4. Go to Authentication methods.
     5. Select Require re-register multifactor authentication.
     6. The next time the locked-out admin signs in, MFA registration will be prompted again on the new device.
2. If there is no other global admin (sole admin on the tenant)
   • This must be handled by Microsoft’s Data Protection team; forum moderators or normal support channels cannot directly change MFA for the account.
   • Call Microsoft support using the global customer service phone numbers for Microsoft 365 for business: Find Microsoft 365 for business support phone numbers by country or region.
   • When navigating the phone/IVR system, clearly state:
     • The issue is with Authenticator / multi-factor authentication.
     • The product is Office 365/Microsoft 365 for business.
     • It is a company/work account.
     • Confirm being an administrator and that there is no other administrator.
     • Request creation of a service request and escalation to the Data Protection team or Tenant Recovery to reset the admin’s MFA methods.
   • Be prepared to provide tenant and identity verification information (admin UPN, tenant domain, business details, contact info, etc.) as requested by the Data Protection engineer.
3. Alternative escalation path if phone support is hard to reach
   • Create a temporary trial tenant, then use that tenant to open a support ticket on behalf of the locked tenant:
     1. Sign up for a Microsoft 365 trial subscription and complete tenant creation.
     2. Go to the new tenant’s Microsoft 365 Admin Center → Support → Help & support.
     3. Open a support ticket explaining that the request is for a different existing tenant where the global admin is locked out due to MFA and is the only admin.
     4. Ask that the case be routed to the Data Protection team for MFA reset/tenant recovery on the original tenant.
   • After the original tenant access is restored, cancel the trial subscription on the temporary tenant to avoid charges.
4. If the account is a work/school account with an organization help desk
   • If the tenant is managed by an organization IT department or partner, contact the organization’s Help desk or partner first. They can:
     • Clear MFA settings so that registration is required again at next sign-in, or
     • Work with Microsoft support on behalf of the tenant.

Once Microsoft support/Data Protection has reset the MFA methods, sign in again, complete MFA registration on the new phone, and add multiple verification methods (for example, Authenticator plus phone/SMS or security key) and, if allowed by policy, a break-glass admin account to prevent future lockouts.

---

References:

• Can't use Azure Multi-Factor Authentication to sign in to cloud services after you lose your phone or the phone number changes
• You don't receive a text or voice call that contains the verification code for Microsoft Entra multifactor authentication
• Common problems with two-step verification for a work or school account
• Preventing tenant lockouts
• Global Admin Locked out - Microsoft Q&A
• How Do I Regain Access to My Account After Losing Access to Microsoft Authenticator? (Urgent Request). - Microsoft Q&A
• Requesting a Tenant Admin MFA Reset - Microsoft Q&A
• I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
• Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
• Restore account credentials from Microsoft Authenticator