![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 55.00000000000001%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
MFA for the only Global Administrator cannot be reset directly from portals when locked out. Recovery must go through Microsoft support and the Data Protection/Tenant Recovery process so identity and domain ownership can be verified.
Follow these steps:
- Prepare proof of ownership
- Collect official business documentation for the organization (registration documents, tax certificates, etc.).
- Ensure access to email addresses and evidence that the organization owns the domain
bctech.edu.vn(for example, domain registrar records or DNS control).
- Open a Microsoft support ticket for tenant lockout
- Go to the Microsoft global support phone numbers page: Customer service phone numbers - Microsoft Support.
- Call the number for the region and clearly state:
- This is a tenant lockout.
- The account is the only Global Administrator.
- MFA methods are no longer accessible (Authenticator not providing code/approval).
- Assistance is needed from the Data Protection team to reset admin credentials/MFA and verify ownership of the tenant and domain.
- Ask specifically for Data Protection / Tenant Recovery
- During the call, request creation of a service request and escalation to the Data Protection team.
- Explain that no other global admin exists who could use “Require re-register multifactor authentication,” so self-service or admin-based reset is impossible.
- Follow their instructions to submit required documentation and complete identity verification.
- What Microsoft’s Data Protection team can do
- According to the documented process, when locked out of a tenant with no other global admin, the Data Protection team can:
- Reset credentials of an administrator account.
- Help claim or confirm ownership of the tenant.
- After verification, they will reset MFA/credentials so sign-in can be completed and new authentication methods (including a new Authenticator registration) can be configured.
- According to the documented process, when locked out of a tenant with no other global admin, the Data Protection team can:
- If the tenant is associated with an unmanaged or partner-created directory
- If a Microsoft partner or reseller manages the tenant, contact that partner and ask them to open a support ticket on behalf of the organization for tenant lockout/MFA reset.
- If the domain is tied to an unmanaged directory, a global admin can perform an admin takeover after access is restored, as described in the admin takeover guidance.
Until Microsoft completes verification and resets the admin’s MFA/credentials, access cannot be restored by any portal or self-service flow.
References:
- Discover your Microsoft cloud footprint FAQ
- Tenant access recovery
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Microsoft Authenticator app doesn't show 6-digit OTP code - Microsoft Q&A
- Microsoft authenticator sending me into a spiral - Microsoft Q&A