![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 2%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Managing external identities to enable secure access for partners, customers, and other non-employees
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
The scenario describes a tenant lockout of the only administrator for a specific Entra External ID domain (no other admin can access that External ID domain, and MFA for the primary admin is now broken there). In this situation, self-service fixes in the portal are no longer possible and the issue must be escalated to Microsoft support for tenant recovery.
The documented pattern for similar cases is:
- If there is another global admin with access to that tenant/domain, that admin can:
- Sign in to the Azure portal → Microsoft Entra ID → Users → select the affected admin user → Authentication methods → choose Require re-register multifactor authentication so the admin can re-enroll MFA and regain access.
- This is the standard fix when at least one other global admin exists.
- If there is no other global admin with access to that Entra External ID domain (which matches the described situation):
- The case is treated as a tenant lockout.
- Resolution requires opening a support case so Microsoft’s Data Protection / Tenant Recovery team can verify ownership and reset the admin’s MFA/restore access.
- In similar cases, moderators escalate to Data Protection via a support ticket; the Data Protection team then contacts the verified owner (email/phone) and assists in restoring access to the tenant.
- If the tenant itself is blocked or inaccessible (for example, due to inactivity), the documented guidance is that:
- A tenant administrator must contact Microsoft support (for example, via the global support phone numbers) to request reactivation or recovery.
- Administrators are advised not to open multiple concurrent requests for the same issue.
Given that:
- MFA works on the new company-domain sign-in but fails when switching to the External ID domain.
- No other admin is configured for that External ID domain.
The only supported path is to:
- Use any available admin access (for example, via another tenant or subscription) to open a Microsoft support ticket, or
- Use the published global support phone numbers for Microsoft cloud services, so that the case can be escalated to the Data Protection/Tenant Recovery team, who can then:
- Verify ownership of the tenant/External ID domain, and
- Reset MFA or otherwise restore administrative access to that External ID domain.
There is no documented self-service method to fix this when the only admin for that External ID domain is locked out by MFA and no alternate admin exists.
References: