A few months ago I tried enabling MFA for the admin accounts on a few tenants for which I'm the sole IT consultant, and restricting the validation method to the Authenticator app (the reason being that here in Brazil there's a lot of SIM cloning and phone line hijacking, and validation via SMS text messages is risky); however, when changing phones a couple of months later the Authenticator app did not completely migrate the accounts, and I ended up locked out from all of them (eventually I found out that the MFA codes are specific to the enrolling phone hardware).
By accessing my customer's servers via RDP, I managed to disable MFA using stored credentials that were still valid on their respective servers, and didn't think any more of it. However, last week one (and only one) of those tenants, for reasons unknown, reinstated the MFA challenge and locked me out.
On this tenant I have a single admin account (having learned this painful lesson, I have now added emergency admin accounts to all of my other customers), and no access to any MFA validation method; I have tried resetting the password (successfully) but even after that keep being prompted for validation.
Having spent the last two hours on the phone, waiting for the chance to speak to a support engineer (never got one...), I'd like to know if there is a specific procedure for emergency disabling of the admin account's MFA; I'm the contact for the tenant, can produce any documentation to support my claim and legal standing, and both the recovery e-mail and phone numbers are my own (the proof is that I was able to reset the password)
