Share via

Customer can not access admin portal due to mfa device is wiped

Wilco de Jong 0 Reputation points
2026-04-20T13:48:44.53+00:00

We are Microsoft Partner and we have a new customer.

They have a Microsoft 365 tenant.

We need to manage their Microsoft 365, but their global admin account is protected by mfa and the phone with Microsoft 365 Authenticator has been wiped.

They didn't add a phonenumber or second mailaddress as extra mfa option.

Now they (and we) can't access their admin account.

Is there a DECENT way to contact The Data Protection Team for a reset of mfa's for the 2 tenant admin accounts ?

We tried to do it by calling Microsoft support, but we get a CoPilot answering machine that sends me round and round, but no mfa reset.

Moved from Microsoft Security | Microsoft Authenticator

Microsoft 365 and Office | Subscription, account, billing | For business | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Doris V 1,605 Reputation points Microsoft External Staff Moderator
    2026-04-22T04:06:16.14+00:00

    Hi @Wilco de Jong,

    If you are the only administrator in your organization, you will need to contact the Microsoft Data Protection team for further assistance. Please locate the appropriate support phone number for your country or region and contact Microsoft Support so the frontline team can raise a service request on your behalf: Please try to find the related hotline number to call the frontline and let them raise a ticket for you: Customer service phone numbers - Microsoft Support   

    User's image

    Here are some tips and an example of a prompt to help you navigate the IVR more effectively:   

    (When you call the support number, you may hear an introduction of about 30 seconds such as "you can visit the link...". You can ignore this introduction and wait until you are presented with the options. Then press "1" as a business email user, and again "1" for technical help)        

    In some regions you may initially interact with an automated system, so here is an example of how you can answer the prompts to reach the right team more quickly:   

    • What kind of problem are you experiencing?           
    • Answer: Authenticator           
    • What products do you use?           
    • Answer: Office 365 for business           
    • Is this for an education or company account?           
    • Answer: For companies           
    • Are you an administrator?           
    • Answer: Yes           
    • Are there any other administrators in your organization?           
    • Answer: No. I am the only admin in my tenant            
    • Do you need a... Service request?            
    • Answer: Yes. I need to create a ticket. Please send me direct to the Data Protection Teams.        

    During the call, you will be asked to provide information that verifies your identity and proves ownership of the tenant, such as your organization name, billing information, contact email, phone number, or other subscription‑related details.

    If you are unable to reach support via the phone numbers, there is a workaround you might consider: You can register for a new Microsoft 365 tenant by signing up for a trial subscription here: Microsoft 365 Business Plans and Pricing | Microsoft 365    
    User's imageUser's image

    Once the new tenant is created, you can access the admin center and submit a support ticket from there, requesting to speak with the Data Protection Team on behalf of your original tenant.    

    Important notes:     

    • This new trial tenant will not give you access to any of the data or settings in your original locked tenant. It is solely a temporary means to contact Microsoft support.    
    • The resolution time might be longer as you are contacting support from a different tenant.    
    • Remember to cancel the trial subscription for the new tenant once your issue with the original account is resolved to avoid any unintended charges.  

    I hope the information provided helps guide you in the right direction. Although I’m unable to take direct action, I sincerely hope that the steps and recommendations I’ve shared can support you through the process.  

    Was this answer helpful?

    0 comments
  2. Q&A Assist
    2026-04-20T13:49:25.1666667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    There is a supported path, but it must go through Microsoft support and specifically the Microsoft Data Protection team. The key is how the tenant is currently related to the partner and whether anyone still has roles that can reset MFA.

    1. Check whether the partner has GDAP with the right roles
      • If a GDAP relationship exists and the partner security group has Privileged authentication administrator or Global administrator / Privileged role administrator, the partner can reset the admins’ password and authentication methods directly, without Microsoft support:
        • See role requirement: “A partner must request the Privileged authentication administrator Microsoft Entra role when creating the first GDAP. This role enables a partner to reset a password and the authentication method for an admin or nonadmin user.”
        • Use the Entra admin center to reset password and clear MFA methods for the locked-out admin accounts.
      • If GDAP exists but the partner does not have password-reset roles, the customer’s global admin must contact Microsoft, or the users must try the Self Service Password Reset tool if enabled. In this case, because the admins are locked out and no alternate methods exist, proceed to step 2.
    2. If no usable admin/MFA method exists (tenant lockout)
      • This is a tenant lockout scenario where no admin can complete MFA. Microsoft’s guidance is to involve Microsoft support and the Data Protection team:
        • For scenarios where the customer has lost access and the partner cannot reset passwords, the guidance is: “The end customer Global Administrator of the tenant must contact Microsoft for Support. For more information, see Find Microsoft 365 for business support phone numbers by country or region.”
      • Use the regional phone numbers from Microsoft 365 for business support phone numbers by country or region and explicitly request escalation to the Microsoft 365 Data Protection team.
    3. How to reach the Data Protection team through phone support
      • Use the business support phone number for the customer’s region from the Microsoft 365 admin support contact page.
      • When navigating the IVR, use wording similar to the documented examples from other tenant-lockout cases:
        • State clearly: this is an Office 365/Microsoft 365 for business tenant.
        • Indicate it is a company account, not education or personal.
        • Confirm that this is an administrator account and that no other admins are available.
        • Explicitly ask to create a service request and be routed to the Data Protection team for MFA reset / admin lockout on the tenant.
      • Data Protection has specific tools and processes to verify identity and reset admin passwords and MFA when all admins are locked out.
    4. If frontline support or IVR keeps looping
      • Guidance from similar resolved cases:
        • Persist with the business support number and ensure the scenario is described as: “only global admins are locked out due to MFA and device loss; need Data Protection team to restore access.”
        • If still unable to reach a live agent, one documented workaround is:
          • Create a new trial Microsoft 365 tenant.
          • Use that new tenant’s admin center to open a support ticket.
          • In the ticket, clearly state that the request is on behalf of another existing tenant where both admins are locked out by MFA and request escalation to the Data Protection team.
    5. For partners managing many customers (preventive guidance)
      • For future customers, when creating the first GDAP relationship, ensure the partner security group is granted Privileged authentication administrator so the partner can reset admin passwords and MFA without needing Data Protection.
      • Also ensure the customer has SSPR configured so users and admins can self-reset passwords and MFA where appropriate.

    In summary, there is no direct “self-service” contact channel for Data Protection; the supported path is via Microsoft 365 business phone support or a support ticket (including via a temporary trial tenant), with explicit request for Data Protection escalation for a tenant lockout/MFA reset.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.