MFA/ Authenticator issue

Question

I am currently locked out of my Microsoft 365 admin account due to a Microsoft Authenticator issue and am stuck in a verification loop.

Microsoft Authenticator is my only configured MFA method. However, I cannot access the Authenticator app to retrieve or approve codes because I am being asked to verify my identity using that same Authenticator app. In other words, I cannot access Authenticator without first authenticating through Authenticator, which creates a complete lockout.

Because of this, I cannot sign in to my account or access the Microsoft 365 admin center.

When attempting to get support, I am directed to contact support from within the admin center, but I cannot access it due to the MFA requirement. This creates a second loop where I cannot reach support through the standard channels.

I am the account owner/admin for this tenant and need assistance resetting MFA so I can regain access and re-register my authentication methods.

I am happy to provide any required information to confirm my identity.

What is the correct process to resolve this MFA lockout when Authenticator is the only verification method?

---

Moderator's note: Moved from Microsoft Security | Microsoft Authenticator

Answer 1

For a business/tenant admin who is locked out because Microsoft Authenticator is the only MFA method, the resolution depends on whether there is another global admin in the tenant.

1. If there is another global admin in the tenant That other global admin can reset MFA so the locked-out admin can re-register:
   1. The other admin signs in to the Azure portal and opens Microsoft Entra ID.
   2. Go to Users → All users.
   3. Select the locked-out admin’s user account.
   4. Open Authentication methods.
   5. Select Require re-register multifactor authentication.
   After this, the next time the locked-out admin signs in, the account will be prompted to set up MFA again (e.g., re‑register Microsoft Authenticator and/or add additional methods).
2. If there is no other global admin (you are the only global admin) In this case, the tenant is effectively locked out from self-service recovery. The only supported path is escalation to Microsoft’s Data Protection / Tenant Recovery team via phone support:
   1. Call Microsoft using the Customer service phone numbers - Microsoft Support listed in the documentation.
   2. When navigating the IVR/agent, clearly state:
      • The issue is with Microsoft Authenticator / MFA.
      • The product is Office 365 for business / Microsoft 365 for business.
      • It is a company (work) account, not personal.
      • The caller is the only global administrator on the tenant and is locked out due to MFA.
      • A service request is needed and the call must be routed to the Data Protection team (or Tenant Recovery) to reset MFA for the tenant admin.
   3. The Data Protection team will verify identity and ownership of the tenant (business documentation, domain ownership, etc.) and then perform an admin MFA reset so access can be restored and MFA methods re-registered.
3. Alternative path if phone support is hard to reach If direct phone escalation is not working, an alternative is to create a temporary trial tenant only to open a support ticket:
   1. Sign up for a new Microsoft 365 trial tenant (separate environment).
   2. In that new tenant, go to the Microsoft 365 admin center → Support → Help & support.
   3. Open a support ticket explicitly stating:
      • The ticket is about a different, existing tenant where the caller is the only global admin.
      • The admin is locked out due to MFA with Microsoft Authenticator as the only method.
      • A Data Protection / tenant admin MFA reset is required.
   4. Provide the locked tenant’s admin UPN, tenant domain, and error details so support can route the case to the Data Protection team.
4. For end users (non-admins) in a business tenant If this scenario applies to a non-admin user, the correct process is to contact the organization’s Microsoft 365/Entra admin and have them:
   1. Go to Microsoft Entra admin center → Users → All users.
   2. Select the affected user.
   3. Open Authentication methods.
   4. Click Require re-register multifactor authentication.
   The user will then be prompted to set up MFA again on next sign-in.

In all cases where Authenticator is the only method and there is no second admin, the loop cannot be broken by self-service; it must be resolved by a global admin using Entra ID, or by Microsoft’s Data Protection team via a support request.

---

References:

• Global Admin Locked out - Microsoft Q&A
• I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
• Requesting a Tenant Admin MFA Reset - Microsoft Q&A
• Microsoft authenticator sending me into a spiral - Microsoft Q&A

Answer 2

Dear @Lindsey Roberts,

Since you are the Global Administrator of your tenant:

Option 1: You may need to contact the Data Protection Team at the service phone number via this link: Customer service phone numbers - Microsoft Support.

The main objective is to go through the IVR (automated system) until you reach a live agent and emphasize this very important security factor. Please help me try this script below, this is a commonly used script for authentication issues to bypass IVR, but you can try to see if it helps get through the system. Please help me to speak loudly, only keywords, clearly and patiently waiting for the machine's response. First, when you call the hotline, they will ask you what kind of problem you are facing with.

Answer: Authenticator.
A: What products do you use?
B: Office 365 for business.
Verification: Education or corporate account?
B: For companies
A: Are you an administrator?
B: Yes.
A: Are there other administrators in your organization?
B: No.
A: I need one.... Service request?
B: Yes

When you speak with a real agent, they can create a ticket for you in the affected tenant and then transfer that ticket to the Data Protection team.

Option 2: Create a new tenant with trial subscription to access and submit a ticket in the Admin Center.

If you still can't get in touch with a real person for help, help me try the following:

Sign up for a free trial (new tenant with trial subscription) of Microsoft 365 at this link: Compare All Microsoft 365 Plans | Microsoft. The goal is to create a temporary tenant with a Global Administrator account so that you can sign in to the Microsoft Admin Center. Once connected, you can submit a support ticket directly to Microsoft. Please remember to cancel the trial subscription once your issue is resolved to avoid unwanted charges.

How to submit support ticket in Admin Center: Get support - Microsoft 365 Admin | Microsoft Learn

Once you contact the Data Protection team, you will be required to provide proof of ownership of the company. This allows them to verify their identity and help reassign the Global Administrator account.

As a moderator, I do not have the tools to investigate your specific account directly, as this is a support forum between users. Moderators and collaborators, including external Microsoft employees, may not directly intervene in the functionality of Microsoft products or access internal systems. Our role is limited to providing technical guidance on reported problems, requests, or ideas. However, I will do my best to guide you as clearly as possible.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.