MFA loop of hell

Question

MFA loop of hell

Alex Maurice 40

I had set up the Microsoft Authenticator app with my business account. All good.

Then I changed phone and, shockingly, transferring Microsoft Authenticator was not at the very top of my life priorities. Go figure.

I then tried to log in. I know the special Microsoft domain email they gave me. I know the password. The portal then gracefully asks me to either approve the request in Microsoft Authenticator, or use a verification code from Microsoft Authenticator.

Fine. I open the Authenticator app on the new phone. I am logged out. No problem, I think, I will just log back in. Maybe it will send me an SMS code or offer another sensible recovery method.

But no. Surprise, surprise. The app I am trying to log into asks me to verify the login using the same app I am currently trying to log into.

Beautiful. A proper engineering recursive loop. Microsoft Authenticator has successfully authenticated itself into total uselessness.

So I thought, surely this must be an easy fix. I will contact support.

Ah. But to get support, I need to sign in.

I tried the phone number as well. With respect, Microsoft, Copilot is not ready for this level of human suffering.

So the summary is:

I cannot log in because Microsoft Authenticator is required.

I cannot access Microsoft Authenticator because logging into it requires Microsoft Authenticator.

I cannot contact support because support requires me to log in.

At this point, I am not entirely sure whether this is an account recovery issue or an advanced Microsoft philosophy experiment.

Can someone from Microsoft please tell me how a business admin is supposed to recover access when the MFA method is locked inside the MFA method itself?

0 comments

Answer accepted by question author

2 additional answers

Your answer

Answer 1

You’re stuck in a known MFA lockout scenario. There is no way to bypass Microsoft Authenticator yourself if it’s your only authentication method.

To recover access to your Microsoft 365 business account, you have only these valid options:

1. If another admin exists

Ask another global admin to reset your MFA in Microsoft Entra ID. This will remove your old Authenticator setup and let you register a new device.

2. If you are the only admin (most likely case)

You must contact Microsoft’s Data Protection Team.

Since you can’t log in:

Call Microsoft support directly (don’t rely on chat)
Ask specifically: “Connect me to Data Protection Team for MFA lockout”
Provide verification details (company name, billing info, domain, etc.)

3. Workaround if you can’t reach support

Create a new trial tenant in Microsoft 365 just to raise a support ticket:

Go to Admin Center → Help & Support
Explain you’re locked out of your original tenant due to MFA
Request escalation to Data Protection Team

Important

There is no self-service fix
Reinstalling Microsoft Authenticator won’t help
Password reset won’t bypass MFA

After recovery (do this immediately)

Add backup MFA methods (SMS/email)
Enable backup codes
Create a second admin accountYou’re stuck in a known MFA lockout scenario. There is no way to bypass Microsoft Authenticator yourself if it’s your only authentication method. To recover access to your Microsoft 365 business account, you have only these valid options:
1. If another admin exists
Ask another global admin to reset your MFA in Microsoft Entra ID.
This will remove your old Authenticator setup and let you register a new device.
2. If you are the only admin (most likely case)
You must contact Microsoft’s Data Protection Team. Since you can’t log in:
- Call Microsoft support directly (don’t rely on chat)
- Ask specifically: “Connect me to Data Protection Team for MFA lockout”
- Provide verification details (company name, billing info, domain, etc.)
3. Workaround if you can’t reach support
Create a new trial tenant in Microsoft 365 just to raise a support ticket:
- Go to Admin Center → Help & Support
- Explain you’re locked out of your original tenant due to MFA
- Request escalation to Data Protection Team
Important
- There is no self-service fix
- Reinstalling Microsoft Authenticator won’t help
- Password reset won’t bypass MFA
After recovery (do this immediately)
- Add backup MFA methods (SMS/email)
- Enable backup codes
- Create a second admin account

Answer 2

Hi @Alex Maurice,

Good day. It sounds like this situation has been challenging, and your concern is clearly heard.

Changing to a new phone often triggers this issue because your Multi-Factor Authentication (MFA) settings usually need to be reset. When you switch devices or reinstall the Microsoft Authenticator app, your new phone isn’t automatically configured for authentication. Since the app is still tied to your previous device, you’re unable to receive authentication codes on the new one, which is why you can’t access your account right now.

For admin access recovery, the available options are as follows:

Option 1: Contact another IT administrator in your organization (if available)

Please check if there are other IT admins who still have access and share with them the steps outlined in the article Manage user authentication methods for Microsoft Entra multifactor authentication. This will help them assist you in resetting your MFA settings and restoring access to the account.

Once the other admin completes this process, your previous sign-in sessions will be cleared, and the next time you log in, you will be prompted to set up MFA again from scratch.

Option 2: Contact Microsoft Data Protection Support by phone (Please proceed with the third option if contacting phone support is not applicable to the situation)

I understand that you’ve already attempted to reach support by phone without success. In this situation, you may consider contacting Global Customer Support again and following the script below to help navigate the automated phone system more effectively.

During the phone call, you will need to provide the information associated with your subscription, such as your company name, billing details, phone number, and an alternate email address, etc. This information allows the Data Protection team to verify your identity and securely assist you in regaining access to your administrator account.

Here are some tips and an example of a prompt to help you reach out the Microsoft Data Protection team support more effectively:

(When you call the support number, you may hear an introduction of about 30 seconds such as "you can visit the link...". You can ignore this introduction and wait until you are presented with the options. Then press "1" as a business email user, and again "1" for technical help.)

In some countries, it is an automated conversation like:

IVR: What kind of problem are you concerned about?

You: Authenticator.

IVR: What kind of product do you use?

You: Office 365 for business.

IVR confirmation: education or company account?

You: For companies

IVR: Are you an administrator?

You: Yes.

IVR: Do you have another administrator in your organization?

You: No.

IVR: Do you need a... Service request?

You: Yes. I need to create a ticket. Please send me directly to the Data Protection Team.

Please note that forum moderators do not have access to user account settings and cannot assist with logging in, resetting passwords, or changing access rights. While we do not have access to internal systems or administrative tools required to resolve account-specific or backend-related issues but we’ll continue doing our best to support you within the scope of our responsibilities.

Option 3: Create a new tenant to submit a support ticket (Alternative method)

Please note that the trial tenant is intended only to help you create a support ticket for your existing business tenant. It is not meant to replace or serve as your primary tenant.

If you still cannot reach a live agent, there is still a workaround, you might consider registering for a new tenant by signing up for a trial subscription.

To set up a new tenant, please follow these steps:

Visit Microsoft 365 Business Plans and Pricing | Microsoft 365. This would allow you to create a new tenant following the prompts provided. Once set up, you can access the admin console of the new tenant and submit a support ticket requesting to speak with the Data Protection team on behalf of your previous tenant.
Create a support ticket: In the Microsoft 365 Admin Center > Help & Support.

In your ticket description, you'll need to clearly explain that you're trying to regain access to your previous Microsoft 365 tenant and need help from the Data Protection team. Here's a message you can use or adapt:

"Hello, I’m currently unable to access my previous Microsoft 365 tenant due to losing MFA access. I’m the only global admin, but I’m locked out and unable to generate a QR code or bypass MFA.

I created this new tenant solely to request assistance. I kindly ask to be connected with the Data Protection team to verify my identity and help me recover access to the original tenant.

This is urgent, as I rely on Microsoft 365 for my work and have been unable to operate for several days. I’m available to provide any documentation or verification needed to support the recovery process."

Please remember to cancel the trial subscription after your issue is resolved, as this will help you avoid any accidental billing. You may prefer the following resource for detailed instructions: Cancel your Microsoft business subscription in the Microsoft 365 admin center | Microsoft Learn.

I hope this helps you regain access to your account quickly. I'm glad to assist and truly hope the information provided has been useful. Please feel free to reach out anytime if you need further assistance.

If you find my post useful, kindly consider upvoting it. Doing so can assist others in the community who may have similar questions in finding solutions more quickly.

Thank you for your kindness and contributions to the forum.

If the answer is helpful, please click "Accept Answer". If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in this documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Episode 2: Revenge of the Bot.

Thanks to all the genuinely helpful answers here from actual humans. I called Microsoft and proceeded to have what can only be described as the fight of my life with two automated voice systems.

The first one was the standard robotic voice with basic voice recognition. I got through that one fairly quickly using the kindly provided prompts. It then said it would connect me to someone, and for one brief, beautiful moment, I felt joy.

But no.

I was then connected to what I am fairly sure was a modern Copilot style AI voice assistant. It sounded more human, yes. With respect, though, the only real improvement was that it was better at understanding what I was saying. As for actually resolving the problem, not quite there yet.

Thirty minutes of back and forth followed, including classics such as:

“Could you tell me more details about your account that might help us proceed with your request?”

And my personal favourite:

“We are in the final step.”

Also:

“It looks like we just need one more detail to proceed.” -- I think it said that about twenty times.

At this point, I am not even sure the economics work. The token usage and compute generated for literally nothing must surely cost more than just letting me speak to a human for five minutes.

Unless, of course, the actual purpose is to keep the average user at arm's length from opening a ticket. In which case, fair play, it is extremely efficient. It has managed to one up the “open a ticket” punchline.

So now I am back here, asking humans how to get around automated systems in order to reach other humans, for what I suspect is one simple admin MFA reset.

The last time I had this kind of issue with another huge corporation, I ended up adding every employee I could find on LinkedIn in complete despair. I imagine I briefly became a quick topic of a Monday morning meeting. But after a couple of weeks, miracle of miracles, it worked.

This time, the use case is thankfully less dramatic. We are talking about Word, Excel, and PowerPoint. Let’s be honest, mostly compatibility use. But I do need the account so I can open an Azure account under the same umbrella.

Or perhaps not. Maybe Alex.2.Microsoft, here I come.

As a software engineer working in AI myself, I fully accept, and even support, that AI can handle many support cases. But when a known catch 22 profile is not handled properly by the automated system, and is not routed correctly even though the edge case is known, that is not innovation....

Surely this is not an exotic scenario.

A business user has an email address, a password, and an authenticator app. They change phone, lose access to the Authenticator app, and suddenly the MFA method required to recover the account is locked behind the MFA method itself.

I do have a recovery PIN, an alternative email, and other account details, i even know my password! I also have a phone number linked to the account, which the very helpful automated voice system mentioned...

But the actual options I am offered are:

Approve a notification in the Microsoft Authenticator app, which requires me to already be logged into the app.

Or get a verification code from the Microsoft Authenticator app, which also requires me to already be logged into the app.

Bravo. Truly.

Apparently, shame on me for not having every single possible MFA method configured, including the brand new passkey options, a backup satellite phone, a notary, and possibly a signed letter from Bill Gates himself...

This is definitely one of the best recursive loops of hell I have seen.

To get online support, I need to log in.

To log in, I need Authenticator.

To access Authenticator, I need Authenticator.

To get phone support, I need to survive the voice bot.

And best of all, after around thirty minutes, the automated voice said, “Let me process the request,” then went silent and never returned. After another ten minutes of silence, making the call around forty minutes in total, I gave up and hung up.

I assume the compute token limit was reached.

I still need access to the Data Protection Team for a sole Global Administrator MFA lockout. If anyone knows the magic words to get the voice system to stop admiring the problem and actually route the case, I am all ears.

stay tuned for episode 3 hopefully NOT coming out next week...

Lia V 6,445 Reputation points Microsoft External Staff Moderator

2026-05-06T20:35:45.41+00:00

Hi @Alex Maurice,

Thank you for taking the time to share this experience in such detail. I really appreciate the additional context you’ve provided.

I completely understand how this situation could feel especially difficult, and I agree it can be challenging when the automated routing does not lead you directly to the right team.

To help avoid further delays with ticket creation and give you a more direct path forward, you may consider the following approach:

Create a trial Microsoft 365 tenant by going to Microsoft 365 Business Plans and Pricing | Microsoft 365 and select "Try for free".

Once the new tenant is available, sign in to the Microsoft 365 admin center and submit a support request for regaining access to your original tenant from there.

In the ticket, clearly explain that this is a Global Administrator MFA lockout scenario, and request to be routed to the Data Protection Team.

This allows you to bypass some of the limitations of phone routing and reach support through a channel where your case can be properly documented and escalated.

If you do not plan to continue using the trial subscription, you can cancel it afterward to avoid any unintended charges once everything is resolved. For instructions, please refer to: Cancel your Microsoft business subscription in the Microsoft 365 admin center | Microsoft Learn.

Additionally, I hope you understand that as a forum moderator, I’ve explored the available guidance and supported options for situations like this. While I may not have access to internal systems or escalation channels, I do hope the approach shared above can provide a helpful path to reach the appropriate support.

This approach should help provide a clearer path forward and assist you in reaching the appropriate support team. Please feel free to reach out if you need additional assistance in the meantime.

Answer 4

Alex Maurice 40

Thanks both for the prompt answers.

It sounds like this is definitely one for the Data Protection Team.

Thank you also for the automated phone prompt to help get through to someone. I will give them a call next week and report back 🫡

Have a great weekend, and many thanks again.

Lia V 6,445 Reputation points Microsoft External Staff Moderator

2026-05-01T18:15:07.8766667+00:00

Hi @Alex Maurice,

Thank you for your response.

If you found my response helpful, marking it as the accepted answer would be greatly appreciated. This can make it easier for other community members to find the solution when encountering similar questions about passing the automatic phone prompt.

Thank you again for your time and cooperation throughout the resolution process. Should any questions or concerns arise in the future, please feel free to reach out. I would be happy to assist, and the moderators in the Microsoft Q&A forum remain available to provide additional guidance as needed.

Thank you for your continued engagement and for contributing to the Microsoft Q&A community.
Alex Maurice 40 Reputation points

2026-05-02T11:05:54.28+00:00

no worries done 🫡 thanks again
Lia V 6,445 Reputation points Microsoft External Staff Moderator

2026-05-05T15:04:09.82+00:00

Hi Alex Maurice,

Thank you very much for accepting the answer. It’s been a pleasure working with you on this thread.

Your time and collaboration are truly appreciated.

Wishing you a smooth rest of your day.

Share via

MFA loop of hell

1. If another admin exists

2. If you are the only admin (most likely case)

3. Workaround if you can’t reach support

Important

After recovery (do this immediately)

1. If another admin exists

2. If you are the only admin (most likely case)

3. Workaround if you can’t reach support

Important

After recovery (do this immediately)

2 additional answers

Your answer