Global Admin Account in Directory Locked Out due to loss of MFA device

Question

Hello,

The sole Global Administrator account for this Entra Directory lost their ability to MFA after getting a new phone and can't sign in to manage the directory and none of the other accounts have the rights to reset that account's MFA. Is there another way to have the account's MFA be reset?

Thanks.

Answer 1

Dear @Jeff Keagbine,

Based on your description, I understand how urgent this situation must feel, especially since there is sole administrator and you need to manage your subscription. Please know you’re not alone in this, and I’ll guide you through every step to get you back in control as quickly as possible.

Option 1: Contact Microsoft Data Protection Support by Phone (Primary Method)  

Since the only administrator is locked out, the most direct method is to call Microsoft's support line to raise a request for resetting your authentication method. For a full list of regional numbers, you can also visit this official page: Customer service phone numbers - Microsoft Support. The support team will assist you as soon as possible. For reference:  Get support | Microsoft Docs   

Here are some tips and an example of a prompt to help you navigate the IVR more effectively: 

In some countries, it is an automated conversation like: First, when you call the hotline, it will be asked as follows: 

IVR: What kind of problem are you concerned about? 

You: Authenticator. 

IVR: What kind of product do you use? 

You: Office 365 for business. 

IVR confirmation: education or company account? 

You: For companies 

IVR: Are you an administrator? 

You: Yes. 

IVR: Do you have the other administrator in your organization? 

You: No. 

IVR: Do you need a... Service request? 

You: Yes  

This process should connect you with a live agent who will create a service request with the Data Protection team. They will then contact you to help you regain access. 

Option 2: Create a Temporary Account (Trial Tenant) to Submit a Support Ticket (Alternative Method) 

If you have difficulty reaching an agent by phone, there is a reliable workaround. This involves creating a new, temporary Microsoft 365 account to contact the support team online. 

Step 1: Sign up for a new Microsoft 365 Business trial using this link: Compare All Microsoft 365 Plans. You will need to use a different, personal email address to register. 

Step 2: Once the trial account is created, log in to its Admin Center > From the Admin Center, open a new Service Request. For reference:  Get support | Microsoft Docs   

In the ticket description, explain that you are locked out of your primary tenant (your.onmicrosoft.com) and that you need to speak with the Data Protection team to regain access. Provide your locked account's details and a good contact number for them to reach you. 

Important: Please remember to cancel the trial subscription after your original account issue is resolved to avoid any future charges. 

I am confident that the Data Protection team can resolve this for you. Please try the phone option first, as it is the most direct path. Let me know if you have any questions about these steps. 

Note: Please understand that as a forum moderator, my role is to provide general guidance and troubleshooting support. I don’t have access to internal systems or backend tools, and I appreciate your understanding of these limits.

I hope the information shared helps point you in the right direction. Please try the steps above and let me know if they work. If not, we can continue working together to narrow this down.

The first response may not always resolve the issue right away, but with your help and more details, we can work toward a solution.

Thank you for your patience and understanding. I'm looking forward for your reply.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".   

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

There’s no self-service way for a sole Global Administrator to reset their own MFA if they’ve lost access to the only registered method and can’t sign in.

Because no other account in the directory has sufficient rights to use Require re-register multifactor authentication for that Global Admin, the recovery must go through Microsoft Support (Data Protection / Tenant Recovery):

1. Contact Microsoft Support by phone using the global customer service numbers and clearly state:
   • This is a work/school (Microsoft 365 for business) account.
   • The caller is the only Global Administrator for the tenant.
   • MFA is enforced, the only method was Microsoft Authenticator on a lost/replaced phone, and the admin cannot complete sign-in.
   • A Data Protection / Tenant Recovery case is needed to reset MFA for the Global Admin account.
2. Work with the Data Protection team to verify tenant ownership and identity. After verification, they can reset the MFA registration for the locked-out Global Admin so a new MFA method can be configured on the new device.

For future prevention, it is recommended to:

• Configure at least one additional MFA method (such as phone call or SMS) for the Global Admin.
• Create two cloud-only emergency access (“break-glass”) accounts with the Global Administrator role that are exempt from MFA/Conditional Access and used only for lockout scenarios.

---

References:

• Can't use Azure Multi-Factor Authentication to sign in to cloud services after you lose your phone or the phone number changes
• Add and manage admin accounts
• Require MFA for administrators
• Global Admin Locked out - Microsoft Q&A
• Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
• Requesting a Tenant Admin MFA Reset - Microsoft Q&A
• Microsoft authenticator sending me into a spiral - Microsoft Q&A