Share via

Urgent: Only Global Admin Locked Out of Microsoft 365 Tenant Due to MFA

Viren Anand 0 Reputation points
2026-04-07T21:10:58.13+00:00

I am the only Global Administrator of my Microsoft 365 tenant (avalwynhouse.onmicrosoft.com) and I am completely locked out due to MFA.

I lost access to my Microsoft Authenticator app and have no alternative authentication methods configured.

I cannot access Admin Center, Entra portal, or Security Info.

All self-service recovery options are failing or redirecting to personal account recovery pages.

I need urgent escalation to the Data Protection / Account Recovery team for MFA reset. I can verify tenant ownership via billing details and domain information.

Please guide or escalate this case immediately.

Microsoft 365 and Office | Subscription, account, billing | For business | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tamara-Hu 13,305 Reputation points Microsoft External Staff Moderator
    2026-04-08T08:19:16.6866667+00:00

    Hi @Viren Anand,

    I'm sorry to hear that the only Global account is completely locked out.

    In this case, please carefully follow this instruction to ask for Microsoft Data Protection team support:   

    Try to find the related hotline number to call the frontline and let them raise a ticket for you: Customer service phone numbers - Microsoft Support 

    Depending on your country or region. For some countries, when calling the support number, although there are about 30 seconds opening as something "you can visit the link...." But you can ignore this opening and wait until the option, then "1" as a business email user, "1" again for technical help.   

    For some countries, it will be an automated conversation like:    

    • First, when you call the hotline, it asks what kind of problem you are worried about.   
    • Answered: authenticator.   
    • A: What kind of product are you using?   
    • B: Microsoft 365 for business.   
    • A confirmation: education or company account?   
    • B: For companies   
    • A: Are you an administrator?   
    • B: Yes.   
    • A: Do you have the other admin in your organization?   
    • B: No.   
    • A: You need one.... Service request?   
    • B: Yes   

    If your organization's subscription is from a partner or reseller, contact the reseller's support provider to help open a service request on behalf of you instead.   

    Please understand that forum moderators have no control over user accounts, especially when it comes to logging in to your account, resetting your password, changing your access, etc.   

    If you encounter any difficulties in contacting the frontline support, please feel free to let me know. Thank you and I wish you a great day!  

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Q&A Assist
    2026-04-07T21:11:22.8566667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Because there is only one global administrator on the tenant and that account is locked out by MFA with no alternative methods, recovery must be handled directly by Microsoft’s Data Protection / Tenant Recovery team. This cannot be fixed through self-service.

    Follow these steps as quickly as possible:

    1. Contact Microsoft Data Protection / Tenant Recovery by phone
      • Call Microsoft support using the regional phone numbers listed under Customer service phone numbers - Microsoft Support or Support for Business Products. These are linked from:
      • When the IVR asks what the problem is, clearly state variations of:
        • “Authenticator”
        • “Office 365 for business”
        • “Company account”
        • “Yes, I am an administrator”
        • “No, there is no other administrator”
        • “Yes, I need to create a service request and be transferred to the Data Protection team for tenant admin MFA reset.”
    2. Be explicit that this is a tenant lockout and you are the only global admin
      • Clearly state:
        • You are the only Global Administrator on the Microsoft 365 tenant.
        • You know the password but cannot complete MFA because Microsoft Authenticator is unavailable and no other methods are configured.
        • You cannot access any admin portal to open a support ticket.
      • Ask the agent to escalate to the Microsoft 365 Data Protection team / Tenant Recovery to perform an MFA reset / re-registration for the global admin account.
    3. Prepare verification information
      The Data Protection team will require proof of ownership. Have ready (examples based on similar resolved cases):
      • Tenant name and primary domain (for example, avalwynhouse.onmicrosoft.com and custom domains).
      • Billing details (company name, address, last invoice info, payment method details as requested).
      • Contact details that match what is on the tenant (phone, email, etc.).
    4. If phone support is difficult to reach, use a temporary tenant as a workaround
      • If unable to get to a live agent through normal routes, one documented workaround is:
        • Sign up for a new Microsoft 365 trial tenant.
        • From that new tenant’s admin center, open a support ticket.
        • In the ticket, request contact with the Data Protection team on behalf of the locked tenant and explain that the only global admin is locked out due to MFA with no alternate methods.
    5. What Microsoft will do
      • Once the case is with Data Protection, they will:
        • Verify tenant ownership using the information provided.
        • Reset or clear the MFA registration for the global admin so that, on next sign-in, MFA can be re-registered (for example, new Authenticator registration and an additional method like phone or email).
      • This process can take multiple interactions and some days in complex cases, but it is the supported path when no other global admin exists.
    6. After access is restored (important hardening steps)
      • Add at least one additional Global Administrator or a Privileged Authentication Administrator, so that one admin can recover the other if locked out.
      • Configure multiple MFA methods (Authenticator plus phone, plus possibly passkey or certificate-based authentication) for all admin accounts.
      • Enable and verify Self-Service Password Reset (SSPR) for admins and keep recovery methods up to date.
      • Follow the guidance to keep the number of global admins low but never only one, as recommended in the admin role security guidelines.

    These steps align with documented guidance for scenarios where the only global admin is locked out and MFA reset must be handled by Microsoft’s Data Protection team.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.