Microsoft Authenticator is no longer accessible (device changed / not configured)

Question

Dear Microsoft Support,

I am the administrator of the Microsoft 365 tenant for the domain [Moderator note: personal info removed] , and I am currently locked out of my account due to Multi-Factor Authentication.

Details:

• User: [Moderator note: personal info removed] 
• Issue: Microsoft Authenticator is no longer accessible (device changed / not configured)
• Result: Unable to sign in or complete MFA verification
• No alternative authentication methods available
• No other Global Administrator account is available to perform a reset

Because of this, I am unable to:

• Access Microsoft 365 Admin Center
• Reset MFA
• Reset password
• Manage users or services

I kindly request:

1. MFA reset (require re-registration) for the affected account
2. Assistance in restoring administrative access to the tenant
3. Guidance on securing the tenant after access is restored

I can provide any required verification (domain ownership, DNS records, billing details, etc.).

Thank you for your assistance.

Best regards,

[Moderator note: personal info removed] 

[Moderator note: personal info removed] 

---

Moved from Microsoft Security | Microsoft Authenticator

Answer 1

Dear @Denis Teskera,

Thank you for posting your question in the Microsoft Q&A forum.

Based on your description, your Microsoft Authenticator app is no longer accessible after your device changed/reset, and you’re asking how to recover access to your account.

Since your email is a business account, you are the only Global Administrator and you are completely locked out from the tenant. You might need to contact Microsoft Support team via phone service number: Customer service phone numbers - Microsoft Support. The agent will be able to create a ticket for you under the affected tenant and then transfer this ticket to Data Protection team who could help you to regain access. As a forum moderator, I do not have administrative access to change these settings

To help you navigate the automated phone system (IVR), here's an example of what the conversation might look like:

IVR: What kind of problem are you worried about?

You: Admin account locked

IVR: What kind of product do you use?

You: Office 365 for business

IVR: Does it count for education or business?

You: For Business

IVR: Are you an admin?

You: Yes

IVR: Do you have another administrator in your organization?

You: No

IVR: Need a service request?

You: Yes

This should help you connect with a live support agent who can help you directly.

If you can't create a support ticket during the call, I recommend creating a temporary tenant account and submitting the support request from there. To create a new tenant, follow these steps:

1. Visit Office 365 E3 - Enterprise Collaboration and Productivity | Microsoft    
2. Select any plan and click Try for free.    
3. Complete the setup to create a new tenant.    
4. Ticket support: In the Microsoft 365 admin center>support>help & support. You can create a support ticket: https://admin.microsoft.com/#/support/requests     

Important: Please remember to cancel the trial subscription once your issue is resolved to avoid any charges.    

Please understand that as forum moderator, my primary goal is to provide helpful guidance and support through general troubleshooting steps. While I don’t have access to internal systems or test devices required to resolve backend issues, I truly appreciate your understanding of these limitations. I genuinely hope the information I share helps guide you in the right direction, and I'm always here to assist as much as I can within my scope.   

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

For a locked-out administrator with no access to Microsoft Authenticator, no backup methods, and no other Global Administrator on the tenant, recovery must be handled by Microsoft Support’s Data Protection / Tenant Recovery team. The steps below align with the documented and recommended process.

1. Because there is no other Global Administrator

• When another Global Administrator exists, that admin can sign in to the Azure portal → Microsoft Entra ID → Users → select the locked-out user → Authentication methods → Require re-register multifactor authentication. This forces MFA re-registration on next sign-in.
• In this case, there is no other Global Administrator, so this self-service admin path is not available and the issue is treated as a tenant lockout.

2. Contact Microsoft Support (Data Protection / Tenant Recovery) Use Microsoft’s global customer service phone numbers to reach support and request a Data Protection / Tenant Recovery case for an admin MFA reset:

• Call the number for the appropriate country/region from Customer service phone numbers - Microsoft Support.
• When interacting with the IVR/agent, clearly state:
  • This is a Microsoft 365 for business / company account.
  • The caller is the only Global Administrator for the tenant for domain as-travel.hr.
  • MFA is enabled and the only method was Microsoft Authenticator on a device that is no longer accessible.
  • The result is a tenant admin lockout and inability to access the Microsoft 365 admin center or Azure portal.
  • A Data Protection / Tenant Recovery case is needed to reset the admin’s MFA methods.

Support will then:

• Verify tenant ownership and identity (for example, via domain ownership, billing information, and other proof).
• Engage the Data Protection team to reset MFA for the locked-out Global Administrator.
• Provide instructions or confirmation once MFA has been cleared so the admin can sign in and reconfigure authentication methods.

If reaching a live agent is difficult, an alternative sometimes used is:

• Create a new temporary tenant via a Microsoft 365 trial.
• Use that new tenant’s admin center to open a support ticket and request to speak with the Data Protection team on behalf of the original tenant. (This is only a workaround when direct phone escalation is not succeeding.)

3. After access is restored: secure the tenant Once MFA has been reset and admin access is restored, apply these security measures:

1. Re-register MFA for the Global Administrator

• Sign in and complete the new MFA registration when prompted.
• Configure multiple MFA methods (for example, Microsoft Authenticator on the new device plus phone/SMS or another method) so a single device failure does not cause another lockout.

2. Add at least one additional privileged admin

• Follow the security guideline to avoid having only one Global Administrator.
• Create at least one more admin with appropriate roles, ideally:
  • Another Global Administrator, and
  • A Privileged Authentication Administrator who can reset MFA for admins if needed.
• This ensures that if one Global Administrator is locked out, another admin can reset the account or MFA.

3. Enforce MFA for all admins and users

• Ensure MFA is required for all administrator accounts and, ideally, all users.
• This reduces the risk of account compromise while still allowing recovery via other admins if one account loses its device.

4. Review sign-in and security logs

• After regaining access, review Microsoft Entra sign-in logs and security alerts to confirm there is no suspicious activity associated with the admin or other accounts.

5. Document recovery procedures

• Internally document:
  • How to contact Microsoft Support and Data Protection.
  • Which admins can reset MFA.
  • Which MFA methods are configured for each admin.
• This reduces downtime if a similar issue occurs in the future.

These steps align with the documented behavior that when no other Global Administrator can reset MFA, Microsoft’s Data Protection team must intervene to restore access.

---

References:

• Common problems with two-step verification for a work or school account
• Use a screen reader to set up and troubleshoot multifactor authentication
• How to add your accounts to Microsoft Authenticator
• About administrator roles in the Microsoft 365 admin center
• Can't set up MFA because five devices are already registered to use an authenticator app
• Global Admin Locked out - Microsoft Q&A
• Requesting a Tenant Admin MFA Reset - Microsoft Q&A
• Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
• I need to reset my mfa methods - Microsoft Q&A
• Azure has blocked myphone number for SMS verification due to a “bad reputation” flag - Microsoft Q&A

AI-generated content may be incorrect. Read our transparency notes for more information.