Share via

MFA reset Microsoft 365 admin locked out

Mathias Oboh 0 Reputation points
2026-03-20T06:53:22.8633333+00:00

I am locked out of my Microsoft 365 admin account due to lost Microsoft Authenticator device. Tenant name: Matnode Tenant ID: 6a85d17e-3574-4549-bda8-5164c9d39bdd Admin username: ******@Matnodeoffice.onmicrosoft.com I still have access to my domain email ******@matnode.com and can verify ownership. I need MFA reset and admin access restoration.

Microsoft Security | Microsoft Authenticator
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-20T06:53:51.74+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Because the only Global Administrator is locked out by MFA and there is no other admin who can reset the authentication methods, recovery must go through Microsoft’s Data Protection / Tenant Recovery process. Forum moderators and tools outside Microsoft support cannot directly reset MFA or restore access.

    Follow these steps:

    1. Confirm there is no other admin who can reset MFA
      • If there is any other Global Administrator or Privileged Authentication Administrator in the tenant, that admin should:
        1. Sign in to the Microsoft Entra admin center (https://entra.microsoft.com).
        2. Go to Users > All users and select the locked-out admin account.
        3. Open Authentication methods.
        4. Select Require re-register multifactor authentication.
        5. The next sign-in for that admin will prompt for MFA setup again, allowing registration of a new device/method.
      • If such an admin exists and performs these steps, no Microsoft support escalation is required.
    2. If you are the only Global Admin (tenant lockout)
      When there is no other admin with rights to reset MFA, this is treated as a tenant lockout. In this case, only Microsoft support (Data Protection team) can help:
      1. Call Microsoft global customer service using the phone number for the country/region from:
      2. When connected to the IVR/agent, clearly state:
        • This is a Microsoft 365 for business / company account.
        • The caller is the only Global Administrator for the tenant.
        • The admin is locked out due to Microsoft Authenticator / MFA and cannot access the admin portal to open a ticket.
        • A Data Protection / Tenant Recovery case is needed to reset MFA methods for the tenant admin.
      3. Work with the support agent to pass verification. The Data Protection team will validate tenant ownership (they may use domain email, business documentation, etc.) and then reset the MFA registration for the admin account.
      4. After MFA is reset, sign in again with the existing password and complete MFA registration on the new device.
    3. Alternative path if unable to reach a live agent
      If it is impossible to reach an agent directly via phone in the region:
      • Create a temporary new tenant by signing up for a Microsoft 365 trial subscription.
      • From that new tenant’s admin center, open a support ticket and request to speak with the Data Protection team on behalf of the locked-out tenant, explaining that the original tenant’s only Global Admin is locked out by MFA.
      • Support can then route the case appropriately and proceed with verification and MFA reset for the original tenant.
    4. Future prevention once access is restored
      After regaining access:
      • Add at least one additional Global Administrator or Privileged Authentication Administrator so that a future lockout can be resolved internally.
      • Configure multiple MFA methods (e.g., Microsoft Authenticator on more than one device, phone, or other supported methods) to avoid a single point of failure.
      • Follow the security guideline to keep the number of Global Administrators low, but ensure at least one other admin can reset a Global Admin’s password or MFA.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.