![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 76%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
The situation described is a classic MFA lockout loop after changing phones: the account requires Microsoft Authenticator to sign in, but Authenticator cannot be set up because the account cannot be signed in without it.
There is no supported way to “pull” a QR code from Outlook or another Microsoft portal without first passing the existing MFA challenge. Recovery depends on what type of account is in use and whether any alternative sign-in methods or admins exist.
Use the path that matches the scenario:
- If this is a work or school (Microsoft 365/Entra ID) account and there is an admin
- Contact the organization’s Microsoft 365/Entra administrator and ask them to reset MFA:
- In Microsoft Entra admin center, they can go to Users → All users → [select user] → Authentication methods → Require re-register multifactor authentication.
- After this reset, the next sign-in will prompt to set up Microsoft Authenticator again with a new QR code.
- If already resolved by signing in with the original Outlook account used to create the tenant, no further action is required beyond reconfiguring Authenticator on the new phone.
- If this is a work or school account and there is no other admin (locked-out sole admin)
- This is a tenant lockout. Forum and self-service tools cannot bypass it.
- Contact Microsoft’s frontline support by phone (see “Customer service phone numbers - Microsoft Support” in the referenced Q&A). Ask them to open a ticket with the Data Protection team to:
- Verify identity as the tenant’s administrator.
- Reset MFA or otherwise restore access.
- In the automated/agent flow, clearly state:
- The problem is with Authenticator and MFA.
- The product is Office 365 for business / company account.
- There are no other admins in the organization.
- A service request is needed and it must be routed to the Data Protection team.
- If the tenant was purchased via a partner/reseller and the admin cannot open a service request, contact the reseller and ask them to open a Microsoft support ticket on the tenant’s behalf.
- As a workaround to reach support if completely locked out, it is possible (per the Q&A) to create a separate, temporary Microsoft 365 trial tenant, go to admin.microsoft.com → Support → Help & support, and open a ticket explaining that the real issue is lockout from a different tenant where you are the admin. After resolution, cancel the trial to avoid charges.
- If this is a work or school account and there is an alternative sign-in method configured
- If any other MFA method exists (SMS, phone call, another app), use it to sign in and then:
- Go to the Additional security verification / Security info page.
- Delete the old phone/Auth app registration.
- Add the new phone/Auth app as a sign-in method and scan the new QR code.
- If SMS/phone is configured but fails with verification errors, this again requires admin or Microsoft support intervention as above.
- If this is a personal Microsoft account (Outlook.com, Hotmail, etc.)
- If another sign-in method exists (alternate email, SMS, phone call), use that to sign in and then:
- Go to the Microsoft account Security tab.
- Use Manage how I sign in → Add a new way to sign in or verify → Use an app to set up Authenticator on the new phone by scanning the QR code.
- If no alternative method works and Authenticator is the only factor, recovery for personal accounts is handled by Microsoft’s account recovery and Data Protection processes; phone support (Data Protection team) may be required as described in the Q&A references.
- If the Authenticator app itself is not showing codes for an existing account
- If the account appears in the app but no 6-digit OTP is visible, and there is no “One-time password code” line when tapping the account:
- This indicates the OTP secret is not present or the account is configured for push-only notifications.
- In this case, only Microsoft’s Data Protection team (for work/school) or account recovery for personal accounts can reset MFA so that a new OTP secret/QR can be issued.
In all these cases, there is no supported mechanism to generate or retrieve the QR code from Outlook or another portal without first satisfying the current MFA requirement. The resolution is to have MFA reset (by an admin or Microsoft support/Data Protection) or to use an existing alternative MFA method to sign in and then re-register Authenticator on the new phone.
References:
- Troubleshoot problems with Microsoft Authenticator
- Use a screen reader to set up and troubleshoot multifactor authentication
- Set up Security info from a sign-in page
- How to add your accounts to Microsoft Authenticator
- Microsoft Authenticator app doesn't show 6-digit OTP code - Microsoft Q&A
- Microsoft authenticator sending me into a spiral - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- I need to reset my mfa methods - Microsoft Q&A
- Authenticator app not sending code to my email - Microsoft Q&A