Share via

MFA Reset Required - Global Admin Locked Out (Microsoft Entra)

Hoàng Tín 0 Reputation points
2026-04-08T15:21:34.7466667+00:00

I have the same question with Chau An in a topic (https://learn.microsoft.com/en-us/answers/questions/5832321/mfa-reset-required-global-admin-locked-out-%28micros)

Hello Microsoft Support Team,

I have an urgent access issue with my administrator account. I am the only Global Administrator of the tenant.

Recently, I lost my mobile device which had the Microsoft Authenticator app installed. As a result:

  • I cannot approve MFA requests via Authenticator
  • I am unable to receive SMS verification codes (the system fails to send them)
  • I do not have any alternative authentication methods configured

Because of this, I am completely locked out of the admin account and cannot access the tenant at all.

Thank you.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-08T15:21:52.9266667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    For a tenant where the only Global Administrator is locked out because MFA cannot be completed and no alternative methods are configured, self-service recovery from within the portals is not possible. Another account with sufficient admin rights is required to reset MFA or unblock the account; when no such account exists, the case must be escalated to Microsoft support/Data Protection for tenant recovery.

    From the documented patterns and moderator guidance in similar situations:

    1. If there is any other Global Administrator or privileged admin account (even if not remembered initially), that admin can:
      • Sign in to the Azure portal and open Microsoft Entra ID.
      • Go to Users > select the locked-out admin account.
      • Open Authentication methods and select Require re-register multifactor authentication.
      • After this, the locked-out admin can sign in again and will be prompted to register MFA from scratch.
    2. If there truly is no other Global Administrator or privileged admin in the tenant (single-admin tenant lockout):
      • This is treated as a tenant lockout scenario.
      • Resolution requires a support ticket so Microsoft’s Data Protection/Tenant Recovery team can verify tenant ownership and reset MFA or otherwise restore access.
      • In Microsoft Q&A cases with a single locked-out global admin, moderators escalate to Microsoft Support, and the Data Protection team contacts the admin (typically via email/phone on record) to perform verification and reset MFA.
    3. For future resilience once access is restored, guidance from the documentation is to:
      • Avoid having only one Global Administrator; have at least one additional Global Administrator or a Privileged Authentication Administrator who can reset other admins’ passwords and MFA.
      • Require MFA for administrators, but ensure multiple MFA methods (for example, Authenticator plus phone, or passwordless methods like passkeys or certificate-based authentication) are configured so a single device loss does not cause a lockout.

    Because the scenario described is a single Global Administrator who is fully locked out and cannot receive any MFA prompts or codes, the practical next step is to open a support case with Microsoft (or work through a Microsoft Q&A moderator) so the Data Protection team can verify ownership and reset MFA for the tenant’s only Global Administrator.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.