Hero Banner

Multi-Factor Authentication (MFA)

Learn and ask questions on how to implement MFA

Level 1 Contributor

Locked out from the sole admin account for my tenant

A few months ago I tried enabling MFA for the admin accounts on a few tenants for which I'm the sole IT consultant, and restricting the validation method to the Authenticator app (the reason being that here in Brazil there's a lot of SIM cloning and phone line hijacking, and validation via SMS text messages is risky); however, when changing phones a couple of months later the Authenticator app did not completely migrate the accounts, and I ended up locked out from all of them (eventually I found out that the MFA codes are specific to the enrolling phone hardware).


By accessing my customer's servers via RDP, I managed to disable MFA using stored credentials that were still valid on their respective servers, and didn't think any more of it. However, last week one (and only one) of those tenants, for reasons unknown, reinstated the MFA challenge and locked me out.


On this tenant I have a single admin account (having learned this painful lesson, I have now added emergency admin accounts to all of my other customers), and no access to any MFA validation method; I have tried resetting the password (successfully) but even after that keep being prompted for validation.

Having spent the last two hours on the phone, waiting for the chance to speak to a support engineer (never got one...), I'd like to know if there is a specific procedure for emergency disabling of the admin account's MFA; I'm the contact for the tenant, can produce any documentation to support my claim and legal standing, and both the recovery e-mail and phone numbers are my own (the proof is that I was able to reset the password)

Level 1 Contributor

Thanks, I'll check those links - in the meantime, I've managed to get a reply from MS, let's see what happens

Level 6 Contributor

Hello @Cellobita ,


Are these tenants/customers in your Microsoft Partner Center portal? If so, and if you have DAP (and/or soon GDAP) configured: an account in your tenant that has AdminAgent permissions can connect to your customers' tenants and modify Azure AD / O365. So you could disable Conditional Access Policies, disable per-user MFA, reset passwords, or create a new Global Admin in the Customer's tenant. You shouldn't need to log in with a Customer-Tenant specific admin account (though they should be MFA protected of course).


For your own tenant, you should have multiple Global Admins / AdminAgent accounts, with MFA, to different devices (multiple users) in case one person has device issues.


If you're not a Microsoft Partner with Tier 1 or Tier 2 access to the MS Partner Center portal, with all your customers connected with (granular) Delegated Admin Privileges then you'll probably need to post in one of the other groups. I imagine best practice is to have at least one Break Glass account for each tenant that would allow access when MFA isn't available. 



Level 1 Contributor

Thank you for taking the time to reply, I'll investigate the requisites for becoming a MS Partner