![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 11%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHD%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 22%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 61%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 0%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
Because the only global administrator is locked out by MFA and there are no other admins who can reset the authentication methods, this is a tenant lockout scenario that must be handled by Microsoft support/Data Protection.
Follow these steps:
- Try self‑service options first (if any other methods exist)
- If there is any chance another MFA method or security info is still available (phone, email, alternate app), start sign‑in and, at the Verify your identity prompt, choose any available method.
- If prompted and applicable, select I don't have any of these and follow the instructions to replace security info. Be aware this can trigger a 30‑day restriction before sign‑in is fully restored.
- If you know the password but have lost all security info, follow the guidance under I've lost access to my security info for work or school accounts: begin sign‑in, select I don't have any of these, and complete the replacement process.
- If no MFA/security info method works and you remain locked out
- This is the case described in the Microsoft Q&A threads where the only global admin loses access to Microsoft Authenticator and cannot complete MFA.
- In such cases, recovery requires Microsoft’s Data Protection/Tenant Recovery team to verify tenant ownership and reset the MFA registration for the global admin.
- Contact Microsoft support by phone (primary path)
- Call Microsoft 365 commercial support using the regional phone number listed under Customer service phone numbers - Microsoft Support for Brazil.
- When connected to the IVR/agent, clearly state:
- This is a Microsoft 365 for business / company account.
- You are the only global administrator for the tenant.
- You know the password but are locked out by MFA because Microsoft Authenticator was reset and it was the only configured method.
- You need to create a service request with the Data Protection/Tenant Recovery team to reset the admin’s MFA methods.
- Be prepared to provide business documentation and proof of domain/tenant ownership as requested.
- Alternative path if phone support is difficult to reach
- As described in the Q&A guidance, if reaching a live agent is problematic, create a temporary trial Microsoft 365 tenant (with a different domain), sign in to its admin center, and open a support ticket from there.
- In that ticket, request escalation to the Data Protection team for MFA reset on the original tenant, providing the affected tenant name and global admin UPN.
- After Microsoft completes verification
- The Data Protection team will reset or clear the MFA registration for the global admin account on the locked tenant.
- Sign in again with the global admin username and password; you should then be prompted to set up MFA from scratch.
- Configure multiple methods (Authenticator plus phone, email, or passkey) to avoid future lockouts.
Self‑service and partner‑based recovery are not possible here because:
- There is no second global admin who can use Require re‑register multifactor authentication for the affected account.
- GDAP/partner scenarios do not apply unless a partner with appropriate roles exists for this tenant.
- Microsoft for Nonprofits and general support cannot bypass identity verification; all access decisions go through standard Microsoft 365/Data Protection processes.
References:
- Preventing tenant lockouts
- Tenant access recovery
- Common problems with two-step verification for a work or school account
- Mandatory multifactor authentication for Azure and admin portals
- Restore account credentials from Microsoft Authenticator
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Global Admin Locked out - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A
- I need to reset my mfa methods - Microsoft Q&A