![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 93%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETA%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Because the only Global Administrator is locked out by MFA and there is no alternative verification method, this is a tenant lockout scenario that cannot be fixed from the portals and must be handled by Microsoft’s Data Protection/Tenant Recovery teams.
Follow these steps:
- Contact Microsoft by phone and ask for the Data Protection team
- Call the regional support number listed under Customer service phone numbers - Microsoft Support or Get support - Microsoft 365 admin. See:
- Customer service phone numbers - Microsoft Support
- Get support - Microsoft 365 admin
- The tenant is a business/organization (not personal).
- This is an admin MFA lockout.
- There is only one Global Administrator and that account cannot complete MFA.
- Request to be transferred to the Microsoft 365 Data Protection team (or Data Protection / Tenant Recovery team) to reset MFA / authentication methods for the global admin.
- Problem: “Authenticator”
- Product: “Office 365 for business”
- Account type: “For companies”
- Are you an administrator?: “Yes”
- Any other administrators?: “No”
- Do you need a service request?: “Yes, I need to create a ticket and speak with the Data Protection team.”
- If phone support is hard to reach, create a temporary trial tenant to open a ticket (workaround)
- Sign up for a new Microsoft 365 trial tenant (separate from
apli7945.onmicrosoft.com). - From that new tenant, go to the Microsoft 365 admin center → Support → Help & support and open a ticket.
- In the ticket, clearly explain:
- The locked tenant domain:
apli7945.onmicrosoft.com. - The affected admin UPN.
- That this is the only Global Administrator and MFA cannot be completed (Authenticator unavailable, no SMS/phone).
- Request that the Data Protection team reset MFA / security info for the global admin on the original tenant.
- The locked tenant domain:
- After recovery, cancel the trial subscription on the temporary tenant to avoid charges.
- Sign up for a new Microsoft 365 trial tenant (separate from
- If the tenant was purchased via a CSP partner
- If a Cloud Solution Provider (CSP) or reseller manages the subscription, contact the partner and ask them to open a Data Protection / tenant recovery service request on your behalf.
- Future prevention once access is restored
After Microsoft resets MFA and access is restored, implement these safeguards to avoid future lockouts:- Ensure at least two Global Admin accounts with different credentials and MFA methods.
- Create emergency/break-glass accounts excluded from Conditional Access and MFA policies, with strong passwords and monitored sign-ins.
- Configure additional MFA methods (e.g., SMS, phone, passkey/FIDO2, or certificate-based authentication) for all admins.
- Consider assigning a Privileged Authentication Administrator or similar role so someone else can reset admin MFA in the future.
Only Microsoft’s Data Protection/Tenant Recovery team can verify ownership and reset MFA in this single-admin lockout scenario; self-service or portal-based fixes are not possible.
References:
- Troubleshoot sign-in issues and account access problems
- Preventing tenant lockouts
- Common problems with two-step verification for a work or school account
- About administrator roles in the Microsoft 365 admin center
- Mandatory multifactor authentication for Azure and admin portals
- Require multifactor authentication for admins accessing Microsoft admin portals
- Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Global Admin Locked out - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A