![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 31%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAT%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Because there is only one Global Administrator on the tenant and no working MFA or alternate authentication method, this is a tenant lockout scenario that must be handled by Microsoft’s Data Protection / Tenant Recovery team.
Follow these steps to regain access:
- Contact Microsoft support by phone
- Use the regional phone numbers listed under Customer service phone numbers - Microsoft Support / Support for Business Products / Microsoft 365 for business support phone numbers by country or region.
- When navigating the IVR, clearly indicate:
- The product: “Office 365 for business” or “Azure / Microsoft 365 for business”.
- That this is a company/organization account.
- That you are an administrator.
- That there is no other global administrator.
- That you are locked out due to MFA and need to be connected to the Microsoft Data Protection team (sometimes called Tenant Recovery) to reset MFA for the only Global Admin.
- Ask specifically for Data Protection / Tenant Recovery
- Explain that:
- MFA is required and is not working.
- You are the only Global Administrator.
- You cannot access the Azure/Microsoft 365 admin portals to open a ticket.
- There is active billing you cannot manage.
- The frontline agent must create a service request and route it to the Data Protection team, who have tools and processes to verify tenant ownership and reset the admin’s authentication methods.
- Explain that:
- If phone support cannot be reached
- As an alternative, create a temporary trial tenant (for example, a Microsoft 365 or Azure trial) and use that tenant’s admin center to open a support ticket.
- In the ticket, clearly state that:
- The issue concerns a different existing tenant where you are the only Global Admin.
- You are locked out due to MFA and need MFA reset / admin recovery by the Data Protection team.
- Be prepared to provide proof of ownership and business documentation for the locked tenant.
- After recovery
- Once access is restored, configure:
- At least two Global Administrator accounts with different credentials and MFA methods.
- Emergency/break-glass accounts excluded from Conditional Access policies, with strong passwords and monitored sign-ins.
- This prevents future tenant lockouts caused by MFA or policy issues.
- Once access is restored, configure:
The actual MFA reset and tenant recovery can only be performed by Microsoft support (Data Protection team); community forums and tools cannot override MFA or admin access in this scenario.
References:
- Troubleshoot sign-in issues and account access problems
- Mandatory multifactor authentication for Azure and admin portals
- Preventing tenant lockouts
- Tenant Lockout: Scenarios & Next Steps
- You don't receive a text or voice call that contains the verification code for Microsoft Entra multifactor authentication
- "Activation failed" error when you try to set up Azure Multi-Factor Authentication
- Global Admin Locked out - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- I need to reset my mfa methods - Microsoft Q&A