Kein Zugriff mehr auf Microsoft 365 Tenant – einziger Global Admin – MFA/Authenticator verloren

Question

Guten Tag,

ich bin der einzige Global Administrator unseres Microsoft 365 / Microsoft Entra Tenants und habe keinen Zugriff mehr auf mein Konto. Der Zugriff scheitert an der Multi-Faktor-Authentifizierung, weil mein Microsoft Authenticator nicht mehr verfügbar ist. Es sind keine alternativen Anmeldemethoden hinterlegt, und ich kann mich daher weder im Microsoft 365 Admin Center noch in Office 365 anmelden. Ich bitte um Unterstützung bei Tenant Access Recovery bzw. beim Zurücksetzen der MFA-Registrierung nach Identitätsprüfung. Bitte teilen Sie mir mit, welche Nachweise ich zur Verifizierung meiner Identität und meiner Admin-Berechtigung einreichen muss. Angaben:

• Betroffener Admin-Account: d******@deutschreal.at
• Tenant-/Domänenname: deutschreal.at
• Firma: DEUTSCH REALITÄTEN e.U.
• Rückrufnummer: +436764835628
• Alternative E-Mail-Adresse: ******@yahoo.de

Ich bitte Sie um schnellstmögliche Unterstützung, da ich meinen Kunden nicht antworten kann und sie nicht wissen, warum das so ist.

Vielen Dank.
Daniel Deutsch

Answer 1

Support for German language is not available. The following steps describe how tenant access recovery and MFA reset work for a single global admin who has lost Microsoft Authenticator access.

Because there is no second global administrator in the tenant who could reset multifactor authentication, recovery must be handled directly by Microsoft support / Data Protection.

1. Use official Microsoft support channels
   • As the only global admin who is locked out, contact Microsoft via the global customer service phone numbers: see global support phone numbers / global customer service phone numbers in the references below.
   • Clearly state:
     • That this is a tenant lockout and
     • That this is a single global administrator scenario and
     • That MFA (Microsoft Authenticator) is the only registered method and is no longer available.
   • Ask specifically for a case to be opened with the Data Protection / Tenant Recovery team to reset MFA / authentication methods for the global admin account.
2. What Microsoft typically verifies (identity and admin rights) Based on the documented processes, Microsoft may request one or more of the following to verify identity and tenant ownership:
   • Official business documentation (for example, company registration documents matching the tenant organization name).
   • Proof of domain ownership for the tenant’s primary domain (for example, ability to modify DNS records for deutschreal.at).
   • Publicly listed registration data for the organization (for example, public business registry entries that match the tenant name and domain).
   • Contact details that can be matched to the organization (phone, alternative email, etc.).
   The exact list and format of documents is determined during the support case by the Data Protection team; they will tell what to submit and how.
3. If support is hard to reach
   • If direct phone support is difficult to navigate, one documented workaround is to create a temporary trial tenant (for example, a Microsoft 365 trial), sign in as its admin, and then open a support ticket from that new tenant, explicitly stating that the problem concerns a different existing tenant where you are locked out as the only global admin. The support engineer can then route the case to the Data Protection team for the original tenant.
4. No self-service recovery in this scenario
   • Self-service options (password reset, MFA reset, alternate methods) require either:
     • Another global admin, or
     • Pre-configured alternate verification methods.
   • In the described situation (single global admin, only Authenticator configured, device lost), recovery is only possible through Microsoft support and identity verification. Forum moderators or documentation cannot bypass this.

Prepare in advance:

• Company registration documents for DEUTSCH REALITÄTEN e.U.
• Any documentation showing control of the domain deutschreal.at (or readiness to add/modify a DNS record if requested).
• Contact details that match the organization.

Once Data Protection has verified identity and tenant ownership, they can reset the MFA registration for the global admin so that sign-in is again possible and new authentication methods (Authenticator on the new phone, SMS, etc.) can be configured.

---

References:

• Tenant access recovery
• Preventing tenant lockouts
• Tenant inaccessible due to inactivity
• Can't use Azure Multi-Factor Authentication to sign in to cloud services after you lose your phone or the phone number changes
• You don't receive a text or voice call that contains the verification code for Microsoft Entra multifactor authentication
• Common problems with two-step verification for a work or school account
• Use a screen reader to set up and troubleshoot multifactor authentication
• Microsoft authenticator sending me into a spiral - Microsoft Q&A
• Requesting a Tenant Admin MFA Reset - Microsoft Q&A
• I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
• Global Admin Locked out - Microsoft Q&A
• Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A