Share via

Microsoft Entra tenant lockout – lost admin access to tenant

harmeet singh 45 Reputation points
2026-03-27T17:27:23.56+00:00

Hello Microsoft Community,

I need urgent help recovering access to my Azure / Microsoft Entra tenant. I would have made a support ticket, but because I am unable to access my Azure portal, I cannot create one. I had received support from a representative previously, which is how I got the contact emails, but I am unable to get a response. I would appreciate it if you could advise me on what steps to take from here or how to properly contact support.

Problem summary

codeJSON

{

I believe I accidentally deleted the identity that had the effective admin access in my tenant.

This account previously had access to the tenant/subscription, but now it fails with:

AADSTS50020

AADSTS16000

The error states that the account from identity provider live.com does not exist in tenant Default Directory / Microsoft Services and needs to be added as an external user in the tenant first.

Current state

  • my email can no longer authenticate into the tenant properly.

Azure CLI local profile still shows the subscription, but fresh token acquisition fails.

I was able to sign in with an older billing-related Microsoft account and reach the tenant shell for tenant [Redacted Tenant ID].

However, that account only appears as a basic User and gets 403 / No access on admin pages.

I currently do not appear to have a working tenant administrator account.

I had created another user with full access, but I believe when I deleted this user, I didn't realize my primary account was no longer the main admin account.

This appears to be a tenant lockout / lost admin access situation.

Please route this case to the Data Protection / Tenant Recovery team and help me do one of the following:

Restore the deleted admin-capable user if it is still within the recovery window, or

Restore / re-establish access for my primary account, or

Recreate a valid admin path for this tenant so I can manage the Azure Sponsorship subscription again.

Example recent errors

AADSTS50020: User account from identity provider 'live.com' does not exist in tenant 'Default Directory'

AADSTS16000: User account from identity provider 'live.com' does not exist in tenant 'Microsoft Services'

Portal admin pages with fallback account return 403 No access

If needed, I can provide additional proof of ownership and any verification details required to the support team privately.

It's been almost a week now and I am not getting any responses from my emails. Can someone please tell me what steps I need to take to resolve this issue.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-27T17:27:50.24+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    This scenario matches a tenant lockout / loss of all global administrator access. Recovery must be handled by Microsoft support and, specifically, the Data Protection / Tenant Recovery team. The required steps are:

    1. Use any account that can still sign in
      • Use the billing-related Microsoft account that can still sign in (even if it only has basic User access) to reach a Microsoft entry point where a support request can be created.
      • If that account cannot open a support ticket in the Azure portal or Microsoft 365 admin center, use one of the options below.
    2. Contact Microsoft support directly (Data Protection / Tenant Recovery)
      • Call Microsoft using the global customer service phone numbers: see the global support phone numbers link in the documentation.
      • Clearly state during the IVR / to the agent that:
        • This is a tenant lockout / lost global admin access scenario.
        • The tenant ID (the one you redacted) and the primary admin UPN that lost access.
        • There is no other global administrator on the tenant.
      • Ask to create a service request and route it to the Data Protection team (sometimes called Data Protection / Tenant Recovery) to:
        • Restore a deleted admin-capable user (if still in the soft-delete window), or
        • Re-establish admin access for the primary account, or
        • Otherwise recreate a valid global admin path for the tenant.
    3. If phone support is difficult to reach, create a temporary tenant to open a ticket
      • Create a new trial Microsoft 365 or Azure tenant (separate from the locked tenant).
      • Sign in to that new tenant’s admin portal (Microsoft 365 admin center or Azure / Entra admin center) as its global admin.
      • From there, open a support request explicitly stating:
        • You are locked out of a different, existing tenant where you are (or were) the global admin.
        • Provide the locked tenant ID, primary admin UPN, and the exact error codes (AADSTS50020, AADSTS16000, 403 on admin pages).
        • Request escalation to the Data Protection team to restore admin access to the original tenant.
    4. While the case is in progress
      • Do not submit multiple parallel assistance requests for the same tenant; wait for the Data Protection team’s response once a case is opened.
      • Be prepared to provide proof of ownership and identity (business documentation, billing details, etc.) as requested by support.
    5. For future prevention (once access is restored)
      • Ensure there are at least two global administrators in the tenant.
      • Regularly review admin accounts and roles and avoid deleting the last admin or the last account with effective admin access.

    Only Microsoft support (via the Data Protection / Tenant Recovery process) can re-establish global admin access in this situation; it cannot be fixed from the outside with CLI, portal tricks, or self-service tools once all admin paths are lost.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.