Unable to access Microsoft 365 Business Basic tenant - The only Global Administrator is locked out due to lost Microsoft Authenticator

Andrew Yuan 0 Reputation points
2026-07-02T13:10:16.1733333+00:00

Hello Microsoft Support,

I need urgent assistance recovering access to our Microsoft 365 Business Basic tenant.

Our situation is as follows:

• Product: Microsoft 365 Business Basic

• Purchased directly from Microsoft (not through a reseller)

• Custom domain: centurywave.com.cn

The only Global Administrator accidentally removed the Microsoft Authenticator account from the iPhone.

As a result, Multi-Factor Authentication (MFA) can no longer be completed.

Unfortunately:

  • There are no other Global Administrators.
  • There are no alternative authentication methods.
  • We cannot sign in to Microsoft Entra Admin Center.
  • We cannot sign in to Microsoft 365 Admin Center.
  • We cannot access Outlook on the web because MFA is required.

We have already tried:

  • Re-registering MFA (before access was lost)
  • Contacting Microsoft phone support
  • Contacting the AI support assistant

However, we were informed that MFA issues must be handled online, but we cannot submit a support request because we cannot sign in.

We can provide proof of ownership, including:

  • Microsoft Order ID
  • Business license
  • Custom domain ownership (centurywave.com.cn)
  • DNS management access through Alibaba Cloud
  • Subscription information
  • Any additional verification requested by Microsoft

Could a Microsoft Moderator please help escalate this as an Admin Lockout case to the appropriate support team?

Thank you very much.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments

2 answers

Sort by: Most helpful
  1. Henry-N 15,065 Reputation points Microsoft External Staff Moderator
    2026-07-02T13:45:27.6733333+00:00

    Hi @Andrew Yuan,

    Thank you for posting your question in the Microsoft Q&A forum.      

    I’m very sorry to hear about your situation. Regarding that you’re unable to log in to your global admin account.  

    If you don't have any other admin account in this situation, the Microsoft Data Protection team has tools and processes in place to verify identity and regain access to administrator accounts.    

    Please note that forum moderators have no control over user accounts, especially when it comes to logging in to your account, resetting your password, changing your access, etc.    

    Therefore, If you are the only administrator in your organization, then you need to involve Microsoft data protection team. Please try to find the related hotline number to call the frontline let them raise a ticket for you: Customer service phone numbers - Microsoft Support 

    *(Important Note: Depending on your country or region, when you call the support number, you may hear an introduction of about 30 seconds such as "you can visit the link...". You can ignore this introduction and wait until you are presented with the options. Then press "1" as a business email user, and again "1" for technical help.)     

    In some countries, this is an automated conversation: First, when you call the hotline, they will ask you what kind of problem you are struggling with.    

    Answer: Authenticator.    

    A: What products do you use?    

    B: Office 365 for business.    

    Verification: Education or company account?    

    B: For companies    

    A: Are you an administrator?    

    B: Yes.    

    A: Are there any other administrators in your organization?    

    B: No.    

    A: I need one.... Service request?    

    B: Yes    

    If your organization's Office 365 Business/Education subscription is from a partner or reseller, and the global administrator is unable to open a service request on your end, contact the reseller's support provider to help open a service request on behalf of you instead.    

    Alternatively, you can try set up a new trial tenant and submit your support request:   

    1. Visit the Microsoft 365 Enterprise Plans page: Go to Compare Office 365 Enterprise Pricing and Plans | Microsoft 365.   
    2. Choose a plan and start a free trial: Select any of the available plans and click "Try for free" to begin the trial setup process.   
    3. Follow the guided setup: Complete the steps to create a new Microsoft account and a new tenant. This will be a separate and independent Microsoft 365 environment.   
    4. Access the Microsoft 365 Admin Center: Once the new tenant is created, navigate to https://admin.microsoft.com/.   
    5. Go to Support: In the left-hand navigation menu, click on "Support" and then "Help & support."   
    6. Raise a support ticket: Describe your issue in detail. Crucially, you must clearly state that you are locked out of a different, pre-existing Microsoft 365 tenant where you are the administrator. Provide the following information about your locked account:    
      • Your administrator account email address for the locked tenant.   
      • The domain name of your locked tenant    
      • Any error messages you are receiving.   
      • Details about the authentication issues you are experiencing.   
      • Confirmation that you are the administrator of the locked tenant.   
    7. Submit your ticket: Follow the prompts to submit your support request. You will likely receive a ticket number for tracking.   

    When you open a support ticket, please make sure to turn off the Support Assistant (AI) in the help panel.  

    Several customers have reported issues when the Support Assistant is turned on  the system sometimes fails to display the “Contact Support” option.  

    As shown in the screenshot, simply switch Support Assistant > Off, then type your issue description.  Once the AI is off, the “Contact Support” button will appear normally, allowing you to submit a ticket directly.  

    User's image

    Important notes:    

    • This new trial tenant will not give you access to any of the data or settings in your original locked tenant. It is solely a temporary means to contact Microsoft support.   
    • Be prepared for Microsoft support to ask for verification of your identity and administrative rights for the locked tenant.   
    • The resolution time might be longer as you are contacting support from a different tenant.   
    • Remember to cancel the trial subscription for the new tenant once your issue with the original account is resolved to avoid any unintended charges. You can typically do this within the Microsoft 365 Admin Center under "Billing" -> "Your products."   

    I hope these steps will help resolve your issue. If you need further assistance, we are always here to help.     

    Thank you again for your time and understanding. While my initial response may not resolve the issue immediately, I’d like to gather more details about your situation so I can assist you more effectively.    

    I really appreciate your patience, and I’m here to help. Looking forward to your response.   


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".    

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread

    Was this answer helpful?

    0 comments No comments

  2. AI answer

    2026-07-02T13:10:57.1+00:00

    This scenario is a classic tenant admin lockout where the only Global Administrator cannot complete MFA and no other admin or method is available. There is no self-service recovery; it must be handled by Microsoft’s Data Protection / Tenant Recovery team via a support case.

    Use the following supported paths to get to that team:

    1. Call Microsoft support and request Data Protection / Tenant Recovery
      Since the subscription was bought directly from Microsoft and there is only one Global Administrator, use the global customer service phone channel and explicitly request escalation:
      • Call the regional number listed under Customer service phone numbers - Microsoft Support.
      • When interacting with the IVR/agent, clearly state:
        • The issue is “Authenticator / MFA – only Global Admin locked out of Microsoft 365 Business tenant”.
        • The product is Office 365 / Microsoft 365 for business.
        • It is a company (work) account, not personal.
        • Confirm there are no other administrators.
        • Ask to create a service request and escalate to the Microsoft 365 Data Protection team (tenant admin lockout / MFA reset).
      The Data Protection team has specific tools and processes to verify tenant ownership (using order ID, domain ownership, business documentation, etc.) and can reset the Global Admin’s authentication methods so that access to the tenant is restored.
    2. If phone support cannot route correctly, create a temporary tenant to open a ticket
      If frontline support repeatedly fails to recognize the scenario or insists on “online-only” support that requires sign-in, use the documented workaround:
      • Sign up for a new trial Microsoft 365 tenant (any business/enterprise trial) using a different domain.
      • Sign in to the Microsoft 365 admin center of this new tenant and go to Help & support.
      • Open a support request and clearly state:
        • This new tenant is only for contacting support.
        • The real, locked tenant is the one for centurywave.com.cn.
        • The Global Admin of that tenant is locked out due to lost Microsoft Authenticator with no other MFA methods and no other admins.
        • Request escalation to the Microsoft 365 Data Protection team to perform an admin lockout / MFA reset on the original tenant.
      • Provide all proof of ownership (order ID, business license, DNS control via Alibaba Cloud, subscription details, etc.) when the Data Protection engineer contacts you.
    3. What Microsoft will do
      • Data Protection engineers will verify identity and tenant ownership using the documentation and signals available.
      • Once verified, they can reset or clear the Global Admin’s MFA registration so that sign-in can complete and new authentication methods (including additional MFA options and backup admins) can be configured.
    4. After recovery – harden against future lockouts
      Once access is restored, follow the documented guidance to avoid recurrence:
      • Ensure at least two Global Admin accounts with different credentials and MFA methods.
      • Create break-glass emergency accounts excluded from Conditional Access policies and with strong passwords, as described in the tenant lockout prevention checklist.
      • Consider assigning a Privileged Authentication Administrator or similar role (if applicable) so someone else can reset MFA in the future.
      • Review MFA methods and add multiple options (Authenticator, SMS, phone, passkeys, etc.) for each admin.

    There is no supported way to bypass MFA or self-reset it in this situation without Microsoft’s Data Protection / Tenant Recovery team. The only viable resolution is to persist with phone support (or a ticket from a temporary tenant) until a Data Protection engineer is engaged and completes verification and reset.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.