Only Global Admin Account Locked in MFA Registration Loop (AADSTS50072)

The account is in an MFA lockout loop with only one Global Administrator on the tenant. This scenario must be handled by Microsoft’s Data Protection team; it cannot be resolved directly from the sign-in page.

Use the following path based on the documented and Q&A-supported guidance:

1. Since there is no other Global Admin who can reset MFA:
   • This matches the “only global admin on the account” / “tenant lockout” scenarios described in the Partner Center and Microsoft Q&A guidance.
2. Contact Microsoft support and ask specifically for the Data Protection / Tenant Recovery (or Microsoft 365 Data Protection) team:
   • Call the appropriate regional support number listed under Customer service phone numbers - Microsoft Support or Get support - Microsoft 365 admin.
   • When prompted by the automated system, clearly indicate that the issue is with Authenticator / MFA and that this is an Office 365 for business / Microsoft 365 for business administrator account.
   • When asked:
     • Product: Office 365 / Microsoft 365 for business.
     • Account type: Company (not education, if that’s correct for the tenant).
     • Role: Administrator.
     • Other admins available: No.
     • Confirm that the tenant’s only Global Admin is locked out due to MFA and cannot complete sign-in.
   • Request that a service request be opened and escalated to the Data Protection team for tenant recovery and MFA reset.
3. Data Protection team process (per documented guidance and Q&A examples):
   • The Data Protection team has tools and processes to:
     • Verify identity and ownership of the tenant.
     • Regain access to the administrator account.
     • Reset or clear MFA registrations so that the Global Admin can sign in again and re-register MFA methods.
   • Be prepared to provide:
     • The tenant domain.
     • The Global Admin UPN.
     • Business and subscription details, and any requested proof of ownership.
4. If the tenant is managed through a partner or reseller:
   • If the subscription is from a Cloud Solution Provider or other reseller and the Global Admin cannot open a service request:
     • Ask the partner/reseller’s support to open a Microsoft support ticket on behalf of the tenant and request Data Protection team involvement.
5. Optional fallback if direct support access is difficult:
   • As described in the Q&A guidance, one possible workaround (if needed) is to:
     • Create a new trial Microsoft 365 tenant purely to gain access to the Microsoft 365 Admin Center.
     • From that new tenant, open a support ticket explaining that the real issue is a lockout from a different existing tenant where the caller is the only Global Admin.
     • Provide the locked tenant’s domain, admin UPN, and error details (e.g., AADSTS50072, MFA loop, SMS verification failure).
     • Ask support to route the case to the Data Protection team for the locked tenant.
     • After resolution, cancel the trial to avoid charges.

Once Data Protection has reset MFA for the Global Admin, sign-in should proceed and will prompt to re-register MFA methods (for example, Microsoft Authenticator, SMS, or more secure options like passkeys or certificate-based authentication, as recommended in the mandatory MFA FAQ).

References:

• Troubleshoot sign-in issues and account access problems
• Mandatory multifactor authentication for Azure and admin portals
• I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
• Microsoft authenticator sending me into a spiral - Microsoft Q&A
• Global Admin Locked out - Microsoft Q&A
• A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
• Use a screen reader to set up and troubleshoot multifactor authentication
• Common problems with two-step verification for a work or school account