![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 41%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Because all existing MFA methods are unavailable and there is only one Global Administrator, this is a tenant lockout scenario that cannot be fixed from the portals or Power BI alone.
Use the following recovery paths:
- If there is actually another admin
- Any Global or Authentication Administrator in the tenant can reset the locked-out admin’s MFA so new methods can be registered:
- Sign in to the Microsoft Entra admin center as an admin.
- Go to Entra ID → Users → select the locked-out admin account.
- Open Authentication methods.
- Select Require re-register MFA.
- Next time the locked-out admin signs in, they will be prompted to set up MFA again (new phone / new Authenticator app, new phone number, etc.).
- Any Global or Authentication Administrator in the tenant can reset the locked-out admin’s MFA so new methods can be registered:
- If there is no other admin (only one Global Admin – your case)
- This must be handled by Microsoft’s Data Protection / Tenant Recovery team via a support request. Forum moderators or normal users cannot reset MFA for an admin.
- Contact Microsoft Support by phone using the “Customer service phone numbers - Microsoft Support” page referenced in the context. When connected to the IVR/agent, clearly state:
- The issue is loss of access to Microsoft Authenticator and all MFA methods for the only Global Admin.
- The tenant is a business/organization (work or school) account.
- There is no other administrator who can reset MFA.
- A Data Protection / Tenant Recovery case is needed to reset the admin’s MFA registration.
- Be prepared to provide proof of identity and tenant ownership (business details, domain, billing info, etc.) as requested by the Data Protection team.
- Alternative way to reach Data Protection if phone support is difficult
- Create a temporary trial Microsoft 365 tenant, then use that tenant’s admin center to open a support ticket on behalf of the locked tenant, explicitly requesting Data Protection / tenant recovery for the original tenant and describing that the only Global Admin is locked out due to MFA.
Once Microsoft Support/Data Protection verifies ownership, they can clear the MFA methods on the admin account so that, on next sign-in, a fresh MFA registration (new Authenticator on the new phone, updated phone number, etc.) can be completed.
Active sessions in services like Power BI do not provide a supported path to bypass or change MFA; the reset must be done either by another admin via Require re-register MFA or by Microsoft Support/Data Protection.
References:
- Manage user authentication methods for Microsoft Entra multifactor authentication
- Can't use Azure Multi-Factor Authentication to sign in to cloud services after you lose your phone or the phone number changes
- You don't receive a text or voice call that contains the verification code for Microsoft Entra multifactor authentication
- Global Admin Locked out - Microsoft Q&A
- I need to reset my mfa methods - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A