MFA Reset for sole admin

Question

I am the only admin for a business account. Lost authenticator after phone replacement. I use a break glass account as the admin. When I call in and give my name and details, it says that I am not a Global Admin. I have tired using both my real name, and my Break Glass name. Either way it just keeps hanging up on me.

Answer 1

Hello @Kevin Storm

I really want to help you with this case, but I need to make sure we are on the same page so I can provide the most relevant information that I have.

• You mentioned a “break‑glass account.” May I confirm that this is an additional account that you have assigned as a backup for emergency situations?
• Also, may I confirm whether you have already contacted Microsoft Support Engineering for this issue via the Microsoft Admin Center or through another support channel?

Since I’m not certain which support steps you have already tried, I would like to share a detailed workflow that many users have successfully used to contact the Microsoft Support team. You may want to try this again and see if it helps with your case.

If you are the only administrator in your organization, then you need to involve Microsoft data protection team. Please try to find the related hotline number to call the frontline let them raise a ticket for you: Customer service phone numbers - Microsoft Support

If you can use English, you may prefer these numbers:

(Important Note: Depending on your country or region, when you call the support number, you may hear an introduction of about 30 seconds such as "you can visit the link...". You can ignore this introduction and wait until you are presented with the options. Then press "1" as a business email user, and again "1" for technical help.)

In some countries, this is an automated conversation: First, when you call the hotline, they will ask you what kind of problem you are struggling with.

Answer: Authenticator.

A: What products do you use?

B: Office 365 for business.

Verification: Education or company account?

B: For companies

A: Are you an administrator?

B: Yes.

A: Are there any other administrators in your organization?

B: No.

A: I need one.... Service request?

B: Yes  

If your organization's Office 365 Business subscription is from a partner or reseller, and the global administrator is unable to open a service request on your end, contact the reseller's support provider to help open a service request on behalf of you instead.

Please try 2 or 3 times until you can reach out to an agent.

However, if the steps above do not help, please let me know so I can continue to assist you further.

Looking forward to hearing from you!

---

If you have extra questions about this answer, please click "Comment".  

Note: Please follow the steps in "our documentation" to enable e-mail notifications if you want to receive the related email notification for this thread. 

Answer 2

For a sole admin who has lost access to Microsoft Authenticator and cannot pass MFA, recovery must go through Microsoft support and the Data Protection (DP) / Tenant Recovery process. Because normal self-service and portal-based methods require successful MFA, they won’t work in this scenario.

Use these steps and tips based on documented and Q&A-supported processes:

1. Confirm there are truly no other Global Admins
   If there were another Global Administrator, that admin could reset MFA for the locked-out account by:
   • Signing in to the Azure portal → Microsoft Entra ID → Users → select the affected admin → Authentication methods → Require re-register multifactor authentication.
   Since the situation is that the account is the only admin and even the break-glass account is locked behind Authenticator, proceed as a sole-admin/locked-tenant case.
2. Contact Microsoft via Global Customer Service phone and explicitly request Data Protection/Tenant Recovery
   The supported path for a sole Global Admin locked out due to MFA is to work with the Microsoft Data Protection team, who have processes to verify identity and reset MFA for the tenant admin.
   Use the country-specific number from Customer service phone numbers - Microsoft Support (linked in the context articles). When the IVR/automated system answers, follow a pattern like this (adapted from documented guidance):
   • When asked for the problem type: say “Authenticator”.
   • When asked what product: say “Office 365 for business” (or Microsoft 365 for business, matching the subscription).
   • When asked whether it’s an education or company account: answer “For companies”.
   • When asked if an administrator: answer “Yes”.
   • When asked if there is another administrator: answer “No”.
   • When asked if a service request is needed: answer “Yes” and state clearly: “I am the only Global Administrator and I am locked out due to MFA; I need a ticket escalated to the Data Protection team for tenant admin MFA reset.”
   If the system is hanging up after “you are not a Global Admin,” stay on the line or call back and:
   • Avoid giving only the display name; use the full admin UPN (email-style sign-in name) when asked.
   • Clearly state that this is a business/tenant admin lockout, not a personal account issue.
   • If routed to a non-commercial/consumer queue, explicitly ask to be transferred to commercial support for Microsoft 365 for business and then request escalation to Data Protection.
3. If direct phone routing continues to fail, use a temporary trial tenant to open a ticket
   If the IVR keeps rejecting the admin identity and disconnecting, use the documented workaround:
   • Sign up for a new Microsoft 365 trial tenant (separate from the locked tenant).
   • In that new tenant, go to the Microsoft 365 Admin Center → Support → Help & support.
   • Open a support ticket explaining:
     • That this new tenant is only for contacting support.
     • The full domain and admin UPN of the locked tenant.
     • That the locked tenant has a single Global Admin, now unable to complete MFA because Microsoft Authenticator was lost/replaced.
     • That normal admin portals cannot be accessed to open a ticket.
     • That a Tenant Admin MFA Reset / Data Protection escalation is required.
   Support will then route the case to the Data Protection team, who will perform identity verification and, once satisfied, reset MFA or re-register methods for at least one admin account.
4. What to expect from the Data Protection process
   Based on similar resolved cases in the context:
   • The DP engineer will contact for verification (tenant details, contact info, proof of ownership).
   • After verification, another engineer may review and then perform the MFA reset or re-registration on the admin account and can help add an additional authentication method.
   • This process can take several days; persistence with support and clear explanation that this is a sole Global Admin lockout is critical.
5. After recovery: harden admin access
   Once access is restored, follow the admin security guidance:
   • Ensure at least two emergency access (“break glass”) accounts exist, excluded from MFA but protected with long, complex passwords.
   • Add multiple MFA methods (Authenticator on more than one device where allowed, phone, SMS, etc.) for each admin.
   • Avoid having only one Global Admin; assign an additional Global Admin or at least another admin role where appropriate.

---

References:

• Common problems with two-step verification for a work or school account
• Admin account security in Microsoft 365 for business
• Can't use Azure Multi-Factor Authentication to sign in to cloud services after you lose your phone or the phone number changes
• Use a screen reader to set up and troubleshoot multifactor authentication
• "Account verification system is having trouble" error message when you try to sign in by using a work or school account
• Can't set up MFA because five devices are already registered to use an authenticator app
• How Do I Regain Access to My Account After Losing Access to Microsoft Authenticator? (Urgent Request). - Microsoft Q&A
• Global Admin Locked out - Microsoft Q&A
• I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
• Requesting a Tenant Admin MFA Reset - Microsoft Q&A
• Microsoft authenticator sending me into a spiral - Microsoft Q&A