Microsoft 365 Developer Program sandbox blocked by MFA admin lockout

Hi @Aaditya Sinha

From the details you described, I understand that you have lost access to Microsoft Authenticator app and are now locked out of your sole admin account for your Developer E5 tenant.

First, please note that this forum is not Microsoft Support; it is a community for users to help one another.

As a forum moderator, I’m here to help guide discussions and share insights based on Microsoft documentation and community knowledge. Although I don’t have access to the back-end system to directly reset of MFA your admin account, I’ll do my best to support you with practical steps and point you to the appropriate resources.

In this situation, there are two official paths you can take to regain access to the tenant:

1.Please visit the following page and reach out to phone number via: Customer service phone numbers - Microsoft Support

From what I know, you will need to get past the initial AI system to reach the live support team. You can refer to the guide below for tips on how to get through more easily:

2.If method 1 is not working, please follow this link to create a trial tenant: https://www.microsoft.com/en-us/microsoft-365/business/microsoft-365-business-basic?msockid=3eb6980b5c6860e63a588d0c5d1761d6 - after that you will be able to access to Microsoft 365 Admin Center to raise the ticket

Assuming that you have already created an account after registering a free trial and you can go to Microsoft 365 admin center and click "Help & support" icon to raise your ticket. The agent will be able to create a ticket for you under the affected tenant and then transfer this ticket to Data Protection team who could help you to regain access.     

Please mention that you are raising ticket on behalf of the affected tenant that you do not have access to. The support team will help you to create ticket on the affected tenant then later on the Microsoft Data Protection team will assist you.

Note: This process will take more time than usual (7-14 working days) for your account to get access again as Data Protection is always overwhelmed with the number of tickets. As I am forum moderator, I do not have access to Microsoft internal system to assist or push this process to be quicker.

On the other hand, if you do create the trial and it resolves the issue, please remember to cancel the subscription afterward to avoid any related charges. 

I hope my information is helpful. Please give me any updates once you get this resolved.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".  

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

For a Microsoft 365 Developer Program sandbox where the only Global Administrator is locked out by MFA and no other admin exists, self-service recovery is not possible. The required actions must go through Microsoft support / Data Protection, similar to a tenant lockout in a production tenant.

Use the following approach:

1. Confirm there is truly no alternative sign-in method
   • Ensure there is no second Global Administrator, break-glass account, or other admin with sufficient rights (Global Administrator or Privileged Authentication Administrator) that can:
     • Sign in to https://entra.microsoft.com
     • Go to Users → All users → [your admin account] → Authentication methods
     • Select Require re-register multifactor authentication so the Global Administrator can set up MFA again on next sign-in.
   • If such an account exists, have it perform the above; this immediately resolves the MFA loop for the locked-out admin.
2. If there is no other admin and the only Global Administrator is locked out
   • This is a tenant lockout scenario. Forum moderators and normal support channels cannot directly reset MFA or detach the sandbox from the Developer Program.
   • The resolution pattern in similar cases is escalation to the Microsoft Data Protection / Tenant Recovery team via a support ticket:
     • Call Microsoft 365 business support using the phone number for the region: see Find Microsoft 365 for business support phone numbers by country or region.
     • Clearly state that this is a tenant lockout, that there is only one Global Administrator, and that MFA is enforcing an endless loop after Authenticator was removed and the UPN was changed.
     • Ask specifically for escalation to the Data Protection (or Tenant Recovery) team to:
       • Reset or clear MFA registration for the Global Administrator so it can be re-enrolled, or
       • If they cannot restore access, assist with tenant recovery options as applicable.
   • Based on similar resolved cases, Data Protection will:
     • Verify tenant ownership and admin identity (may require business documentation and back‑and‑forth verification).
     • Once verified, reset MFA for at least one admin account or add an additional authentication method, allowing sign-in again.
3. Handling the Developer Program sandbox attachment
   • The Developer Program FAQ and setup guidance do not provide any self-service option to detach or forcibly expire a locked sandbox from the Developer Program profile.
   • Because of that, the practical path to either:
     • Recover the existing sandbox (preferred), or
     • Free the Developer Program profile to create a new renewable E5 sandbox, is still to restore access to the tenant via Microsoft support / Data Protection as above.
4. Preventing future lockouts in the sandbox Once access is restored:
   • Add at least one additional Global Administrator account with a different MFA method.
   • Create emergency/break-glass admin accounts excluded from restrictive Conditional Access policies, with strong passwords and monitored sign-ins.
   • Configure multiple MFA methods (e.g., Authenticator plus phone or other supported methods) for each admin.
   • For Developer Program sandboxes, set up MFA immediately after creation as recommended, and document recovery options.

Because this is a dev-only tenant with no production data, Data Protection may still require full verification before making any changes, and the process can take several days, as reflected in similar cases.

References:

• Microsoft 365 Developer Program FAQ
• Set up a Microsoft 365 developer sandbox subscription
• Welcome to the Microsoft 365 Developer Program
• Preventing tenant lockouts
• Tenant Lockout: Scenarios & Next Steps
• Mandatory multifactor authentication for Azure and admin portals
• Common problems with two-step verification for a work or school account
• Your sign-in was blocked
• Global Admin Locked out - Microsoft Q&A
• Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
• How Do I Regain Access to My Account After Losing Access to Microsoft Authenticator? (Urgent Request). - Microsoft Q&A
• I need to reset my mfa methods - Microsoft Q&A
• Microsoft authenticator sending me into a spiral - Microsoft Q&A