Share via

Locked out of Azure/Entra tenant — MFA error 500121, no working Authenticator

Mario Raposo 0 Reputation points
2026-05-01T18:59:00.5+00:00

I am locked out of my Azure / Microsoft Entra tenant. Account: [Moderator note: personal info removed]@hotmail.com Azure sign-in only offers Microsoft Authenticator push or verification code. Push never arrives, and the 6-digit verification code is rejected with error 500121. I can access parts of portal.azure.com, but Entra Users and Support fail to get tokens. Azure Support Portal gives AADSTS16000: user account from identity provider live.com does not exist in tenant Microsoft Services and cannot access Microsoft_Azure_SupportPortalExtension. I may be the only admin or I do not know the admin account. I need help escalating to Azure Data Protection / Tenant Recovery to reset tenant-side MFA.

Moved from Microsoft Security | Microsoft Authenticator

Microsoft 365 and Office | Subscription, account, billing | For business | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jess-Q 10,410 Reputation points Microsoft External Staff Moderator
    2026-05-02T13:24:41.0533333+00:00

    Hi @Mario Raposo

    Please understand that our forum is a public platform, and we will modify your question to cover your personal information including your organization domain name in the description. Please notice to hide these personal or organization information next time you post error or some information to protect personal data.

    I have moved the information to the Private message if you need to add any more privacy information please add it in there.

    User's image

    Regarding your issue, the error 500121 indicates that the sign-in process is failing at the MFA stage meaning your password is accepted, but the verification through Microsoft Authenticator cannot complete (for example, no push notification is received or the code is rejected). 

    At the same time, the error AADSTS16000 suggests that the account you are using (a personal Microsoft account from live.com) is not recognized in the tenant that the Azure portal is attempting to access. In this situation, the portal may route you to the default “Microsoft Services” tenant, where directory-level actions (such as accessing Entra ID or Support) are not available for your account. 

    For more details, please refer to: AADSTS error codes

    If there is no other Global Administrator available, there is no option to reset MFA or recover access from within the tenant, the best next step would be to contact Microsoft Data Protection team directly for assistance as they have tools and processes in place to verify identity and regain access to administrator accounts.      

    You can find the appropriate customer service phone numbers at this link: Customer service phone numbers.

    Depending on your country or region. For some countries, when calling the support number, although there are about 30 seconds opening as something "you can visit the link...." But you can ignore this opening and wait until the option, then "1" as a business email user, "1" again for technical help. Then you can follow the automated hotline flow to request a support ticket. 

    Please provide the following details to the support team:   

    • Tenant ID  
    • Email address used to sign in  
    • Correlation ID from the login failure  
    • Timestamp of the failure  

    Hopefully it clears thing up and if you have any other questions or need further assistance, feel free to ask.  

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Q&A Assist
    2026-05-01T18:59:11.7833333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Tenant-level MFA reset and Data Protection/Tenant Recovery escalation cannot be performed directly. In a tenant lockout scenario where no other global admin can sign in to re-register MFA, the documented path is to open a support ticket and have Microsoft Support/Data Protection handle the recovery.

    From the referenced tenant-lockout case, the resolution was:

    1. Open a support ticket for the affected tenant (Severity A / business down if applicable).
    2. The support engineer engages the Microsoft Data Protection team.
    3. Data Protection contacts the requester (email/phone) to validate ownership and then restores access to the tenant, including resetting MFA as needed.

    Because access to the Azure Support Portal is failing with AADSTS16000 for the current account, use an alternative path to open the support case, for example:

    • Use another work/school account that has access to Azure Support for the same subscription/tenant, if one exists, and clearly state that the primary admin account is locked out due to MFA and that no other global admin is available.
    • If there truly is only one global admin and no other admin account is known, follow the same pattern as the documented Q&A case: request that Support escalate to the Data Protection team for tenant lockout / MFA reset and tenant recovery.

    Once Support/Data Protection completes their process and restores access, sign in and reconfigure MFA methods (for example, add additional methods such as phone or Microsoft Authenticator on a new device) so that a single-device failure does not cause another lockout.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.