locked out of my admin account

Question

I am the only Global Administrator for our Microsoft 365 tenant and I am currently locked out of my admin account. Issue: MFA is enabled by default for the Global Admin

Answer 1

Dear @RemiDes,

Thank you for posting your question in the Microsoft Q&A forum.

Based on your description, you are locked out from your admin account, and you are the only Global Admin because MFA is enabled by default for the Global Admin

In this scenario, contacting Microsoft Support is the only available option to recover access to your account. You can reach out them via phone service number: Customer service phone numbers - Microsoft Support. The agent will be able to create a ticket for you under the affected tenant and then transfer this ticket to Data Protection team who could help you to regain access.   

To help you navigate the automated phone system (IVR), here's an example of what the conversation might look like:

IVR: What kind of problem are you worried about?

You: Admin account locked

IVR: What kind of product do you use?

You: Office 365 for business

IVR: Does it count for education or business?

You: For Business

IVR: Are you an admin?

You: Yes

IVR: Do you have another administrator in your organization?

You: No

IVR: Need a service request?

You: Yes

This should help you connect with a live support agent who can help you directly.

If you can't create a support ticket during the call, I recommend creating a temporary tenant account and submitting the support request from there. To create a new tenant, follow these steps:

1. Visit Office 365 E3 - Enterprise Collaboration and Productivity | Microsoft    
2. Select any plan and click Try for free.    
3. Complete the setup to create a new tenant.    
4. Ticket support: In the Microsoft 365 admin center>support>help & support. You can create a support ticket: https://admin.microsoft.com/#/support/requests     

Important: Please remember to cancel the trial subscription once your issue is resolved to avoid any charges.   

I hope information above can help you resolve the issue. If you have any other questions, please feel free to leave the comment below. 

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Follow these steps to regain access when the only Global Administrator is locked out due to MFA:

1. Confirm there are no other admins
   • If there is any other Global Administrator or a Privileged Authentication Administrator in the tenant, that account can reset the locked-out admin’s authentication methods or password.
   • If there truly are no other admins, proceed to step 2.
2. Use self-service password reset (SSPR) if enabled
   • If self-service password reset is configured for the account, try resetting the password using the security information registered for the account as described in use your security information and your mobile device to reset your work or school password.
   • If SSPR is not enabled or does not work, proceed to step 3.
3. Contact Microsoft Data Protection / Tenant Recovery
   • Because the tenant has only one Global Administrator and that admin is locked out by MFA, recovery must be handled by Microsoft’s Data Protection team.
   • From a phone, call Microsoft support using the regional number listed under Find Microsoft 365 for business support phone numbers by country or region.
   • When prompted by the automated system, clearly indicate:
     • The issue is with Authenticator / MFA.
     • The product is Office 365 / Microsoft 365 for business.
     • The account is a company (work) account.
     • The caller is the only Global Administrator and is locked out.
     • A service request is needed and the call must be routed to the Microsoft 365 Data Protection team (or Tenant Recovery / Data Protection).
   • The Data Protection team will verify identity and ownership of the tenant and then reset MFA or otherwise restore access to the Global Admin account.
4. If direct phone routing fails, open a ticket from another tenant
   • If support cannot be reached or routed correctly, create a temporary new Microsoft 365 tenant (for example, via a trial subscription) and sign in to its admin center.
   • From that new tenant’s Help & support section, open a support ticket explicitly stating:
     • The issue is a tenant lockout on a different existing tenant.
     • The caller is the only Global Administrator of that locked tenant.
     • MFA is blocking access and needs to be reset by the Data Protection team.
   • This temporary tenant is only a channel to contact support; it does not provide access to data in the locked tenant.
5. After access is restored, harden admin access to prevent future lockouts
   • Create at least two Global Admin accounts with distinct credentials and MFA methods.
   • Configure emergency access (“break glass”) accounts that are excluded from MFA/Conditional Access, have long complex passwords, and are used only for emergencies.
   • Follow the least privilege principle and keep the number of Global Admins as low as possible, while ensuring at least one other role (such as Privileged Authentication Administrator) can reset admin passwords.

---

References:

• Troubleshoot sign-in issues and account access problems
• Preventing tenant lockouts
• Tenant Lockout: Scenarios & Next Steps
• Admin account security in Microsoft 365 for business
• About administrator roles in the Microsoft 365 admin center
• Global Admin Locked out - Microsoft Q&A
• Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
• I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
• Requesting a Tenant Admin MFA Reset - Microsoft Q&A