Share via

Urgent: Only Global Admin locked out of tenant, phone support redirects me to Contact Us, but Contact Us is unusable

Hoàng Tín 0 Reputation points
2026-04-09T07:47:22.64+00:00

Hello Microsoft team,

I need urgent help with a tenant lockout situation.

I am the only Global Administrator of my Microsoft 365 / Microsoft Entra tenant:

Tenant: 0c7dk.onmicrosoft.com Admin account: ******@0c7dk.onmicrosoft.com

I am locked out because MFA is required, but my old phone with Microsoft Authenticator is no longer available.

At sign-in, I am only offered these methods:

  • Approve sign-in in Microsoft Authenticator
  • Enter a verification code from Microsoft Authenticator
  • Receive a verification code by SMS

The problem is:

  • I no longer have access to the old Microsoft Authenticator app
  • SMS verification is not being delivered
  • I still know the password, but I cannot complete MFA
  • I am the only Global Administrator, so there is no other admin who can reset my MFA

I have already tried the normal support paths:

  • I called Microsoft phone support in Vietnam
  • The automated voice system did not solve anything
  • It redirected me to aka.ms/assist / Contact Us
  • But that support flow is not helping, because it keeps pushing me back into sign-in and requires me to log in with the same work account that I am already locked out of

So at this point I am stuck in a loop:

  • cannot sign in because MFA cannot be completed
  • cannot use Contact Us properly because it requires sign-in
  • cannot reset MFA because I am the only admin

I am requesting guidance for the correct escalation path for this exact situation: only Global Administrator locked out of tenant due to lost Authenticator access, with SMS also failing.

Please tell me:

  1. how I can reach a real support path that does not depend on logging into the locked business account
  2. whether this needs to be escalated to Data Protection / Tenant Recovery
  3. what proof of ownership Microsoft needs from me to recover admin access

If needed, I can provide:

  • screenshots of the sign-in loop
  • screenshots showing the available MFA methods
  • proof that I still know the password
  • any tenant ownership information required

I would really appreciate direct guidance, because I have already spent many hours going in circles between phone support and the Contact Us page.

Thank you.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-09T07:48:02.47+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    This scenario matches a tenant lockout where the only Global Administrator has lost access to all MFA methods. Self-service recovery and normal admin-center-based support are no longer possible. The next step is to work directly with Microsoft’s Data Protection team via a support ticket or phone, without signing in to the locked tenant.

    1. How to reach support without signing in to the locked account

    Use one of these supported paths that do not require signing in to the locked tenant:

    Option A – Call Microsoft business support and ask for Data Protection

    1. Call the regional Microsoft business support number listed under Customer service phone numbers - Microsoft Support.
    2. When the IVR/agent asks about the issue, clearly state:
      • The problem is Authenticator / MFA.
      • The product is Office 365 / Microsoft 365 for business.
      • The account type is company (work) account.
      • Confirm being the only Global Administrator and that no other admin can reset MFA.
      • Request creation of a service request with the Microsoft 365 / Azure Data Protection team for tenant admin MFA reset / tenant lockout.
    3. If the first-line agent tries to route back to self-service or sign-in-based support, insist that:
      • Sign-in is not possible due to MFA lockout.
      • There is no other global admin.
      • A Data Protection / Tenant Recovery case is required.

    This flow is explicitly supported when the only global admin is locked out and cannot open a ticket from the tenant.

    Option B – Create a temporary trial tenant to open a ticket

    If phone support cannot complete the escalation, use the documented workaround:

    1. Sign up for a new Microsoft 365 trial tenant (a completely separate tenant) using any email that can receive mail.
    2. In that new tenant, go to the Microsoft 365 admin center → SupportHelp & support.
    3. Open a support request and clearly state that:
      • The ticket is about a different existing tenant, not the trial tenant.
      • Provide the locked tenant’s domain (for example, 0c7dk.onmicrosoft.com) and the global admin UPN.
      • Describe that this is a tenant lockout / only global admin locked out due to MFA.
      • Request escalation to the Data Protection team to perform admin MFA reset / tenant recovery.

    This method is documented in similar cases where admins cannot sign in to the original tenant but can still use another tenant to reach support.

    1. Whether this goes to Data Protection / Tenant Recovery

    Yes. When:

    • The only Global Administrator is locked out by MFA,
    • No other admin exists to reset MFA, and
    • Self-service password reset or MFA reset cannot be used,

    the case must be handled by the Microsoft 365 / Azure Data Protection team as a tenant lockout / tenant recovery scenario. This is the same path used in:

    • “Global Admin Locked out” scenarios.
    • Cases where a single admin loses Authenticator access and no alternate method works.
    1. Proof of ownership and what to prepare

    Data Protection will guide the exact verification steps, but based on similar documented cases, be prepared to provide:

    • The tenant name and domain (for example, 0c7dk.onmicrosoft.com).
    • The locked global admin username.
    • Confirmation that there are no other global admins.
    • Business identity details that match the tenant’s billing/registration records (company name, address, phone, etc.).
    • Any billing or subscription information associated with the tenant (invoice numbers, last 4 digits of payment method, etc.).
    • Screenshots of the MFA prompt / sign-in loop (if requested by support).

    The Data Protection team uses internal tools and processes to verify identity and ownership and, once satisfied, can:

    • Reset credentials or MFA for the global admin, or
    • Otherwise restore access to the tenant.
    1. Additional notes and expectations
    • Forum moderators and automated phone flows cannot directly change MFA or account settings; only the Data Protection team can act once ownership is verified.
    • Resolution may require multiple interactions; keep any case number provided by phone or via the trial-tenant ticket.
    • After recovery, configure:
      • At least two global admin accounts with different MFA methods.
      • Emergency/break-glass accounts excluded from Conditional Access.
      • Self-Service Password Reset (SSPR) with multiple recovery methods.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.