Fix: MFA Broken for Global Admin Account and Cannot Access Microsoft Tenant

When multi-factor authentication (MFA) breaks for a global admin account in Microsoft Entra ID (formerly Azure AD), it can completely lock you out of your tenant. This issue often occurs when TOTP (Time-based One-Time Password) authenticators become desynced, reset, or deleted — and there’s no backup method available.

If you can’t access your admin portal due to a broken MFA, here’s how to fix it step-by-step and regain control of your tenant.

Why This Happens

MFA issuWhen you configure TOTP-based MFA (like Authenticator apps) and the device or seed data is lost, there’s no backup to regenerate the codes. If this affects your only global admin, it creates a lockout loop — you can’t sign in to reset MFA or manage users.

Microsoft’s self-service recovery tools cannot override this for global admins without proof of ownership. That’s why support tickets often get routed to the Data Protection Team (DPT) for manual verification.e once you’re locked out, recovery depends on whether you still have another global admin in the tenant.

1. Try Logging in from a Trusted Session

If you previously selected “Don’t ask again for 30 days”, try:

1. Logging in from the same browser and device you last used for admin access.
2. Visiting https://entra.microsoft.com directly.
3. If prompted for MFA, use the Authenticator app backup (if available) or any cached session token from your browser.

Sometimes, cached sessions still hold a valid refresh token, giving you limited temporary access.

2. Use Another Global Admin to Reset MFA

If another global admin exists:

1. Sign in to the Microsoft Entra Admin Center.
2. Go to Users → All Users → [Your Locked Admin Account].
3. Under Authentication methods, select Require re-register MFA.
4. The next time you sign in, you’ll be prompted to set up a new MFA method.

Tip: This is the safest and quickest fix if another global admin account is available.

3. Use a Break-Glass Account (Emergency Access Account)

If your tenant has a break-glass account — an admin account exempted from MFA — use it now.

1. Sign in using the emergency credentials.
2. Navigate to Azure Active Directory → Users.
3. Locate the locked account and click Manage user settings.
4. Turn off Multi-Factor Authentication (MFA) temporarily.
5. Reconfigure MFA on the broken admin account using a new device.

If you don’t have a break-glass account, proceed to escalation.

4. Contact Microsoft Support and Request DPT Escalation

If no admin can access the tenant, you’ll need help from the Microsoft Data Protection Team (DPT).

Here’s how to do it properly:

1. Go to https://support.microsoft.com and open a new Microsoft 365 Admin or Azure Subscription support case.
2. Clearly state: “Our only global admin account is locked due to broken MFA. We need escalation to the Data Protection Team for tenant ownership verification.”
3. Provide the following details:
   • Tenant ID (e.g., contoso.onmicrosoft.com)
   • Global admin username/email
   • Subscription ID and billing contact details
   • Proof of ownership (e.g., last invoice or payment method on file)

Once verified, the DPT will temporarily disable MFA so you can log in again.

Important: Only the DPT has authority to bypass MFA at the tenant level. Regular support cannot do this.

What to Do After Regaining Tenant Access

Once you regain access, perform these steps immediately:

1. Reset MFA: Go to your profile → Security info → Delete old authenticator → Re-add new MFA.
2. Add a second global admin account to avoid single points of failure.
3. Create a break-glass account exempt from conditional access and MFA.
4. Review and document all MFA recovery options (including recovery codes and phone numbers).
5. Store your tenant’s subscription ID, invoice, and contact email in a secure location.

How to Prevent Future MFA Lockouts

To avoid getting locked out again:

• Maintain at least two global admins.
• Keep break-glass accounts outside conditional access enforcement.
• Periodically test sign-ins for all admin accounts.
• Export your MFA configuration and recovery codes securely.
• Use FIDO2 keys or Authenticator backups for redundancy.

FAQs: MFA Broken for Global Admin Account

1. What should I do if my global admin account is locked due to broken MFA?
Ask another global admin to reset your MFA. If none exists, contact Microsoft Support and request the Data Protection Team (DPT) to disable MFA after verifying ownership.

2. Can Microsoft Support remove MFA directly?
No. Only the Data Protection Team can disable MFA for a global admin after confirming tenant ownership.

3. How long does recovery take?
Usually 3–5 business days, depending on how fast you provide verification documents.

4. How can I avoid getting locked out again?
Add a second global admin and a break-glass account without MFA. Keep recovery details stored securely.

5. What if I don’t have billing access to prove ownership?
You can verify through domain records or organization documents. The DPT will guide you through alternative proof options.

Read More:

• Fix Azure Login Error AADSTS5000225 in Microsoft Entra ID
• How to Backup Azure SQL Managed Instance to Blob Storage via SSMS
• How to Use Azure NetApp Files for OT Data Transfer to Azure Cloud
• Fix: az vm run-command Not Working in Azure CLI
• Azure VM Series Retirement 2028 Explained: F, Fs, Lsv2, G, Av2, and B-Series Migration Guide