How to Recover Admin Microsoft Account with Lost MFA Access?

Hello Zwivhuya Ramanenzhe

Thank you for your patience .

We engaged with the Microsoft Data Protection team we have received the confirmation that your MFA issue has been resolved now.

Let us know if you need any further assistance from our end.

Thank you for contacting Microsoft Q&A!

Because the account is a work/school (Microsoft Entra ID) global admin and there is no other admin who can reset MFA, recovery must go through Microsoft’s Data Protection / Tenant Recovery process. The steps below summarize what is required and what to expect.

1. Confirm there is truly no other admin who can reset MFA

• If there were another cloud services/global admin, that admin could:
  • Sign in to the Azure/Microsoft 365 portal.
  • Go to Microsoft Entra ID → Users → select the locked-out admin → Authentication methods.
  • Use Require re-register multifactor authentication to force a fresh MFA setup on next sign-in.
• Since there is no other admin, proceed to Data Protection.

2. Understand why self-service options will not work

• Self-service MFA reset or security info replacement requires access to at least one existing verification method. With only the lost phone configured, sign-in gets stuck in an MFA loop and cannot be completed.
• Forum moderators and Microsoft for Nonprofits (if applicable) cannot bypass identity verification or directly change tenant ownership or admin MFA; all such actions are handled only by Microsoft 365/Data Protection support.

3. Contact Microsoft 365 / Data Protection support by phone Because sign-in to the admin portal is not possible, the recovery must be initiated via phone support:

1. Call Microsoft’s business support line for the region using the numbers listed under Customer service phone numbers - Microsoft Support or Support for Business Products.
2. When prompted by the IVR/agent, clearly state:
   • The issue is tenant lockout / global admin locked out due to lost MFA device.
   • The account is a Microsoft 365 for business / company account.
   • The caller is the only global administrator on the tenant.
   • There is no other admin who can reset MFA.
   • A Data Protection / Tenant Recovery / Microsoft 365 Data Protection team escalation is needed.
3. Ask the frontline agent to open a service request and escalate to the Data Protection team. If the call flow is automated, answer along these lines (as shown in the context):
   • Problem type: “Authenticator” or “Multi-factor authentication.”
   • Product: “Office 365 for business” or “Microsoft 365 for business.”
   • Account type: “Company account.”
   • Are you an administrator?: “Yes.”
   • Do you have another administrator?: “No.”
   • Request: “Yes, I need to create a ticket and be transferred to the Data Protection team.”

If the first call does not reach the right team, call again and explicitly request escalation (some users needed to ask for a duty manager to get a Data Protection engineer assigned).

4. Prepare to verify identity and tenant ownership The Data Protection / Tenant Recovery process will require proof that the caller legitimately administers the tenant. Be ready to provide, as requested by support:

• Official business documentation (for example, registration documents, invoices, etc.).
• Domain ownership proof (DNS, WHOIS, or admin access to the domain used for the tenant).
• Publicly listed organization information (website, nonprofit registration if applicable).
• Contact details that match existing tenant records where possible (business phone, email, address, country/time zone).

Microsoft for Nonprofits (if applicable) can help prepare documentation and confirm eligibility but cannot bypass identity verification or grant access directly; all final decisions and actions are done by Microsoft 365 support/Data Protection.

5. What the Data Protection team will do Once the case is escalated and identity is verified, the Data Protection team can:

• Reset or clear the MFA registration on the locked-out global admin account, or
• Help restore access to the tenant and ensure at least one admin can sign in.

After MFA is reset, the next sign-in will prompt for MFA registration again, allowing configuration of the Microsoft Authenticator app on the new phone and/or additional methods (SMS, email, security key) so there is a backup in the future.

6. If absolutely unable to reach support as the tenant admin If support cannot be reached directly as the locked-out admin, one documented workaround is:

• Create a new trial Microsoft 365 tenant (separate from the locked-out tenant).
• Use that new tenant’s admin portal to open a support ticket and request contact with the Data Protection team on behalf of the original tenant.
• In the ticket, clearly specify the original tenant domain, that it is locked out, and that the caller is the sole global admin who lost MFA access.

7. Future prevention once access is restored When access is recovered, configure redundancy so a single lost device cannot cause another lockout:

• Add at least one additional global admin.
• Configure multiple MFA methods for each admin (Authenticator app on more than one device where allowed, SMS, phone call, FIDO2 key, etc.).
• Ensure self-service password reset and security info management are enabled and correctly configured for admins.

References:

• Troubleshoot sign-in issues and account access problems
• Can't use Azure Multi-Factor Authentication to sign in to cloud services after you lose your phone or the phone number changes
• Common problems with two-step verification for a work or school account
• Find the administrator for your work or school account
• Tenant access recovery
• How Do I Regain Access to My Account After Losing Access to Microsoft Authenticator? (Urgent Request). - Microsoft Q&A
• Global Admin Locked out - Microsoft Q&A
• Requesting a Tenant Admin MFA Reset - Microsoft Q&A
• Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
• Microsoft authenticator sending me into a spiral - Microsoft Q&A