MFA deadlock with only one global admin account

Question

Hi everyone,

I’m currently stuck in a situation I can’t seem to resolve on my own and would really appreciate any guidance.

I manage 5 Exchange accounts, but unfortunately only one of them has Global Administrator privileges. The problem is that this specific account is no longer receiving any Microsoft Authenticator MFA prompts.

This has effectively put me in a deadlock:

I need to log in to disable or reset MFA

But I can’t log in because MFA approval is not coming through

I’ve already tried all standard troubleshooting steps (reinstalling Authenticator, checking notification settings, alternative sign-in options, etc.), but nothing has worked so far.

From what I understand, contacting Microsoft’s Data Protection team seems to be the only remaining solution. However, I’ve been unable to successfully reach them either online or by phone.

Has anyone experienced a similar issue or knows a way to resolve this? Any help or suggestions would be greatly appreciated.

Thanks in advance.

Answer 1

Hi @Hanno Bevelander,

Thank you for posting your question in the Microsoft Q&A forum.      

I’m really sorry to hear about your situation. I understand you’re unable to log in to your account. To assist you effectively, I’d like to clarify a few points:       

Do you have any other admin account that you can use to log in to Microsoft 365 Admin center?    

If you have another admin account, I would recommend you to use that account to reset your MFA settings through the Microsoft Entra Admin Center. Ask your administrator to follow these steps:    

1. Sign in to Microsoft Entra admin center with the admin account 
2. Go to Users 
3. Select the affected user account 
4. Open Authentication methods 
5. Revoke sessions 
6. Select Require re‑register MFA 
7. Save the changes               

Revoke MFA sessions and require re-register in the Microsoft Entra admin center                  

If you don't have any other admin account in this situation, the Microsoft Data Protection team has tools and processes in place to verify identity and regain access to administrator accounts.    

Please note that forum moderators have no control over user accounts, especially when it comes to logging in to your account, resetting your password, changing your access, etc.    

Therefore, If you are the only administrator in your organization,  then you need to involve Microsoft data protection team. Please try to find the related hotline number to call the frontline let them raise a ticket for you: Customer service phone numbers - Microsoft Support 

*(Important Note: Depending on your country or region, when you call the support number, you may hear an introduction of about 30 seconds such as "you can visit the link...". You can ignore this introduction and wait until you are presented with the options. Then press "1" as a business email user, and again "1" for technical help.)     

In some countries, this is an automated conversation: First, when you call the hotline, they will ask you what kind of problem you are struggling with.    

Answer: Authenticator.    

A: What products do you use?    

B: Office 365 for business.    

Verification: Education or company account?    

B: For companies    

A: Are you an administrator?    

B: Yes.    

A: Are there any other administrators in your organization?    

B: No.    

A: I need one.... Service request?    

B: Yes    

If your organization's Office 365 Business/Education subscription is from a partner or reseller, and the global administrator is unable to open a service request on your end, contact the reseller's support provider to help open a service request on behalf of you instead.    

Alternatively, you can try set up a new trial tenant and submit your support request:   

1. Visit the Microsoft 365 Enterprise Plans page: Go to Compare Office 365 Enterprise Pricing and Plans | Microsoft 365.   
2. Choose a plan and start a free trial: Select any of the available plans and click "Try for free" to begin the trial setup process.   
3. Follow the guided setup: Complete the steps to create a new Microsoft account and a new tenant. This will be a separate and independent Microsoft 365 environment.   
4. Access the Microsoft 365 Admin Center: Once the new tenant is created, navigate to https://admin.microsoft.com/.   
5. Go to Support: In the left-hand navigation menu, click on "Support" and then "Help & support."   
6. Raise a support ticket: Describe your issue in detail. Crucially, you must clearly state that you are locked out of a different, pre-existing Microsoft 365 tenant where you are the administrator. Provide the following information about your locked account:    
   • Your administrator account email address for the locked tenant.   
   • The domain name of your locked tenant    
   • Any error messages you are receiving.   
   • Details about the authentication issues you are experiencing.   
   • Confirmation that you are the administrator of the locked tenant.   
7. Submit your ticket: Follow the prompts to submit your support request. You will likely receive a ticket number for tracking.   

When you open a support ticket, please make sure to turn off the Support Assistant (AI) in the help panel.  

Several customers have reported issues when the Support Assistant is turned on  the system sometimes fails to display the “Contact Support” option.  

As shown in the screenshot, simply switch Support Assistant > Off, then type your issue description.  Once the AI is off, the “Contact Support” button will appear normally, allowing you to submit a ticket directly.  

Important notes:    

• This new trial tenant will not give you access to any of the data or settings in your original locked tenant. It is solely a temporary means to contact Microsoft support.   
• Be prepared for Microsoft support to ask for verification of your identity and administrative rights for the locked tenant.   
• The resolution time might be longer as you are contacting support from a different tenant.   
• Remember to cancel the trial subscription for the new tenant once your issue with the original account is resolved to avoid any unintended charges. You can typically do this within the Microsoft 365 Admin Center under "Billing" -> "Your products."   

I hope these steps will help resolve your issue. If you need further assistance, we are always here to help.     

Thank you again for your time and understanding. While my initial response may not resolve the issue immediately, I’d like to gather more details about your situation so I can assist you more effectively.    

I really appreciate your patience, and I’m here to help. Looking forward to your response.   

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".    

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread

Answer 2

In this scenario there is an MFA deadlock on the only Global Administrator account, and standard self-service recovery is not possible. With only one global admin and no working MFA method, the path forward is to involve Microsoft support (Data Protection / Tenant Recovery) so they can verify identity and reset MFA on the admin account.

Based on similar resolved cases:

1. If there is any other Global Admin
   • Have that admin sign in to the Azure portal → Microsoft Entra ID → Users → select the locked-out admin → Authentication methods → Require re-register multifactor authentication.
   • Next sign-in for the locked-out admin will prompt for MFA registration again, allowing a fresh setup of Microsoft Authenticator or another method.
2. If there is no other Global Admin (only one admin in the tenant)
   • This is a tenant lockout case. Forum moderators and normal support channels cannot directly reset the account; it must go through the Microsoft Data Protection (DP) team.
   • The DP team has tools and processes to verify identity and regain access to administrator accounts when the only admin is locked out by MFA.
   • To reach them, open a support request via:
     • Calling the regional Microsoft customer service phone number and clearly stating that this is an admin MFA lockout and that there is only one global admin in the tenant. The frontline agent must escalate to the Data Protection / Tenant Recovery team.
     • If unable to open a ticket from the locked tenant, create a temporary new Microsoft 365 trial tenant, go to the Microsoft 365 admin center → Support → Help & support, and open a ticket explaining that the issue is with a different existing tenant where the only global admin is locked out by MFA. Provide the locked tenant’s domain, admin UPN, and error details. Support will then route the case to the DP team.
   • Expect that the DP team will perform identity and ownership verification (business documentation, contact details, etc.) before they reset MFA or add an additional authentication method on the admin account.
3. If SMS or other methods also fail for the admin
   • When no MFA method works and there is no second admin, self-service options are exhausted. The only supported resolution is via Microsoft support escalation to the Data Protection team, as described above.

Once access is restored, configure at least one additional Global Admin and multiple MFA methods (Authenticator, phone, etc.) for each admin to avoid future lockouts.

---

References:

• How Do I Regain Access to My Account After Losing Access to Microsoft Authenticator? (Urgent Request). - Microsoft Q&A
• Global Admin Locked out - Microsoft Q&A
• I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
• Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
• I need to reset my mfa methods - Microsoft Q&A
• You don't receive a text or voice call that contains the verification code for Microsoft Entra multifactor authentication
• Can't set up MFA because five devices are already registered to use an authenticator app
• Common problems with two-step verification for a work or school account
• Use a screen reader to set up and troubleshoot multifactor authentication