URGENT : Global Admin Lockout - KMFA Deadlock on [Moderator note: personal info removed]

Question

Dear Microsoft Support Team,

I am writing to report a critical access issue affecting our Microsoft 365 tenant associated with the domain [Moderator note: personal info removed] 

We are currently experiencing a complete administrative lockout. The only Global Administrator account ([Moderator note: personal info removed]) is no longer accessible due to a failure in Microsoft Authenticator.

Issue Summary:

• The Authenticator app previously configured for MFA was unexpectedly reset/logged out.
• As a result, all MFA bindings for the admin account have been lost.
• There are no alternate authentication methods (SMS/email/backup codes) configured.
• No other Global Administrator accounts exist in the tenant.
• All login attempts result in an MFA prompt, creating a circular dependency with no recovery path.

Technical Context:

• The device previously used for MFA is no longer recognized as trusted.
• Authenticator backup/restore was not available.
• We are unable to approve sign-in requests or generate OTP codes.

This has resulted in a tenant-level administrative lockout, and we are unable to access:

• Microsoft 365 Admin Center
• Azure Portal
• Any administrative controls

Request for Immediate Assistance:

We request Microsoft’s intervention to:

1. Verify ownership of the domain dataflorent.com (we can provide DNS-based verification or any required documentation).
2. Reset or disable MFA for the Global Administrator account ([Moderator note: personal info removed]), OR
3. Provision a temporary Global Admin access / add a secondary administrator to restore access.

Verification Readiness:

We are prepared to provide:

• Domain DNS verification (TXT record)
• Business identity proof
• Subscription or billing details
• Any additional information required for validation

Given that this is a complete administrative lockout, we request this case to be treated with highest priority and urgency, as it is impacting our business operations.

Kindly guide us on the fastest way to proceed with verification and recovery.

Thank you for your immediate attention to this matter.

Sincerely,

Answer 1

Hi @Yash Pal Nachaal,

I’ve carefully read through the details you shared. In situations like this, where the only Global Administrator is locked out due to an MFA deadlock and there are no alternate recovery methods or secondary admins, the Data Protection team is the only group with the tools and authority to securely verify tenant ownership and help restore administrative access.

Please note that forum moderators have no control over user accounts, especially when it comes to logging in to your account, resetting your password, changing your access, etc

The standard and recommended way forward is to contact Microsoft Support by phone, so the frontline support team can create a case for you and escalate it internally to the Data Protection team. You can find the appropriate phone number here: Customer service phone numbers - Microsoft Support

For India:

Here are some tips and an example of a prompt to help you navigate the IVR more effectively:

(When you call the support number, you may hear an introduction of about 30 seconds such as "you can visit the link...". You can ignore this introduction and wait until you are presented with the options. Then press "1" as a business email user, and again "1" for technical help.)  

In some regions, the initial interaction may be automated, so here’s a general idea of how the conversation might go to help you prepare:   

• What kind of problem are you experiencing?       
• Answer: Authenticator       
• What products do you use?       
• Answer: Office 365 for business       
• Is this for an education or company account?       
• Answer: For companies       
• Are you an administrator?       
• Answer: Yes       
• Are there any other administrators in your organization?       
• Answer: No. I am the only admin in my tenant        
• Do you need a... Service request?        
• Answer: Yes. I need to create a ticket. Please send me direct to the Data Protection Teams.    

During the phone call, you will need to provide the information associated with your subscription, such as your company name, billing details, phone number, and an alternate email address, etc. This information allows the Data Protection team to verify your identity and securely assist you in regaining access to your administrator account.   

If you're still unable to get through to support, there is a workaround you might consider: You can register for a new Microsoft 365 tenant by signing up for a trial subscription here: Microsoft 365 Business Plans and Pricing | Microsoft 365

Once the new tenant is created, you can access the admin center and submit a support ticket from there, requesting to speak with the Data Protection Team on behalf of your original tenant.

Note: Please remember to cancel the trial subscription once your issue is resolved to avoid any unintended charges.   

I hope these steps help you create a support ticket successfully and move closer to regaining access to your administrator account. While I’m not able to intervene directly, guiding you to the right support team is the most effective help I can provide here.

If you have any updates or additional questions, please feel free to leave a comment under this post. This will make it easier for me to receive notifications and follow up with you to continue providing support.

Thank you very much for your understanding.

---

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.   

Answer 2

This situation is a tenant-level admin lockout caused by loss of the only Global Administrator’s MFA method. Recovery requires direct assistance from Microsoft’s Data Protection / Tenant Recovery teams; it cannot be fixed from the portals because no admin account can complete MFA.

Use the following paths based on the documented guidance:

1. If this is the only Global Administrator on the account
   • Contact the Azure Data Protection team by phone as documented: +1 866-807-5850.
   • Explain that this is a tenant lockout (only Global Admin, MFA lost, cannot sign in to any admin portal).
   • The Data Protection team will verify tenant ownership (they may use domain DNS records, billing details, and business identity) and then help reset the Global Admin’s password and/or MFA so that access can be restored.
2. If the tenant has no other Global Admins (which matches this case)
   • Follow the documented “Your company doesn't have a global admin” path:
     • As part of the company’s tenant, find the support phone number for the region from Get support - Microsoft 365 admin.
     • Ask to be transferred to the Microsoft 365 Data Protection team to have the password/MFA reset.
   • If unable to call as the tenant contact, ask a colleague who is part of the tenant to contact the Microsoft 365 Data Protection team on behalf of the organization.
3. What Microsoft Support/Data Protection will typically do
   • Treat the case as a tenant lockout where no Global Admin can reset MFA.
   • Verify ownership of the tenant and domain (they may request DNS TXT record, business documentation, subscription/billing details, etc.).
   • Reset or clear MFA registration for the locked Global Admin account, or assist in creating a new Global Admin so that the tenant can be administered again.
4. If there were another Global Admin (for completeness)
   • That admin could sign in to the Azure portal → Microsoft Entra ID → Users → select the locked account → Authentication methods → “Require re-register multifactor authentication”.
   • After this, the locked admin would be prompted to set up MFA again at next sign-in.
   • In this case, there is no second Global Admin, so this path is not available and Data Protection escalation is required.
5. Future prevention once access is restored
   • Add at least one additional Global Administrator account so that one admin can recover another if MFA or password issues occur.
   • Create two cloud-only emergency “break glass” accounts with the Global Administrator role, following emergency access recommendations, and exclude them from Conditional Access policies so they can be used if normal admins are locked out.
   • Ensure each admin has multiple MFA methods configured (for example, Microsoft Authenticator plus SMS or another method) to avoid single-point-of-failure on one device.

This scenario matches documented tenant lockout cases where moderators escalated to the Data Protection team, who then reset MFA and restored access. Immediate action is to contact the appropriate Data Protection team by phone using the documented support channels.

---

References:

• Troubleshoot sign-in issues and account access problems
• Preventing tenant lockouts
• Create a resilient access control management strategy with Microsoft Entra ID
• Add and manage admin accounts
• About administrator roles in the Microsoft 365 admin center
• Common problems with two-step verification for a work or school account
• I need to reset my mfa methods - Microsoft Q&A
• Global Admin Locked out - Microsoft Q&A
• Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
• Azure has blocked myphone number for SMS verification due to a “bad reputation” flag - Microsoft Q&A