Same Day IT

Guide · Microsoft 365 lockout

Locked out of Microsoft 365: how you actually get back in

How you get back in depends on one question: are you the only admin, or is there someone above you? Someone above you means a fix today. Top of the tree, and the way back depends on what was set up before this morning.

Last updated 2 July 2026 · by Alien IT Solutions

First, the short version

Almost every Microsoft 365 lockout ends one of two ways. Someone with admin rights resets your password or clears your MFA, and you are back in minutes. Or nobody sits above you, and you fall back on whatever existed before today: backup codes, a second sign-in method, a break glass account. None of those either, and you are into Microsoft's ownership verification, measured in days, not hours.

So first, answer the question. Who administers this account? A boss, an IT provider, a head office? Ring them from any device that works. Then find your lockout below.

Work out which lockout you have

Four causes cover nearly every case. Identify yours before burning more sign-in attempts.

Forgotten password

The classic. Quick if self-service reset was set up beforehand, or if an admin can reset it for you. Painful if neither is true.

New or lost phone with Authenticator

The most common lockout of 2026. Your password is fine, but the codes live on a phone that is gone, wiped, or in a drawer at the old job.

Disabled or compromised account

Sign-in says the account is locked or disabled. An admin switched it off, Microsoft flagged something, or someone else got in first.

The only global admin is locked out

The nightmare tier. Nobody in the business can administer anything, and the only door left is Microsoft's verification process. Slow by design.

The way back, cause by cause

1. Forgotten password

If self-service password reset was turned on before today, use the reset link on the sign-in screen, verify with a registered method, and you are back in minutes. Never turned on? You cannot turn it on now. That is the eternal lesson of account recovery: every rescue has to be built before the disaster, none can be built during it. Without self-service reset, an admin resets your password, a two-minute job.

2. New or lost phone with Microsoft Authenticator

Password managers mostly killed the forgotten password. The phone running Authenticator replaced it as the single point of failure, now the lockout we see most. The old phone, even without a SIM, only needs Wi-Fi to approve a sign-in. Use it once, get in, and move Authenticator across properly.

If it is gone, use any other method you registered: backup codes, a code to your mobile number, or a second authenticator on a spare device. A computer where you are still signed in can also be the bridge, an active session may let you update your security methods without the phone. Nothing registered and no session anywhere? Then an admin clears your MFA methods and you register the new phone fresh.

3. Disabled or compromised account

If sign-in says the account is disabled or locked, stop typing passwords, nothing you enter will change it. Either an admin disabled it deliberately or Microsoft flagged something. Ask whoever administers the account which.

If someone else got in and changed your recovery details, treat it as an emergency. An admin needs to reset the password, sign the account out everywhere, then go through what the attacker touched, because intruders leave behind mailbox rules and forwards that keep working after they are gone.

4. The only global admin is locked out

This is the one that stops companies. If the single account with admin rights over the tenant is unreachable, nobody inside the business can reset anything, and Microsoft cannot simply hand over the keys on a phone call. They have to verify you actually own the business and the tenant first, and that verification is slow and demanding on purpose: a fast door for a stressed caller is a fast door for an attacker.

Expect to prove ownership with real documentation, and expect days, sometimes longer, while mail keeps flowing and nobody can administer it. There is no shortcut, and we will not pretend otherwise. Prevention is the whole game.

The prevention list: do this while you can still sign in

Every item takes minutes and only works if it exists before the lockout. This is the part to act on.

Create a break glass admin

A second account with admin rights, kept only for emergencies. Long random password, tied to nobody's phone, printed and locked away offline. Test it twice a year. It turns the nightmare tier into a five-minute fix.

Register a second MFA method

While signed in, add one more way to verify: your mobile number, or a second authenticator on another device. One method means one phone between you and your business.

Print your backup codes

Generate them, print them, file the paper with the passports. Paper does not get wiped, stolen with the laptop bag, or handed back with the work phone.

Turn on self-service password reset

It only rescues people who registered before the lockout. Turn it on today and have everyone register while their accounts still work.

Stop hanging the business off one phone

If one handset in the ocean means nobody can invoice, that is a bet, not an IT setup. Spread admin access across two people, or one person plus the break glass account.

What same-day help fixes, and what only Microsoft can

Straight answer, because you should know before paying anyone. If any admin account is still reachable, a technician working with that admin gets you back in today: passwords reset, MFA cleared, disabled accounts investigated, compromised mailboxes locked down. That covers most lockouts.

If every admin is locked out, be wary of anyone who says they can get you in for a fee. They cannot, any more than a repair shop can crack BitLocker. Only Microsoft can restore access to a tenant with no reachable admin. A technician's honest value there is preparing your ownership evidence properly, keeping the business running around the lockout, and rebuilding the security setup afterwards.

Same lesson as drive encryption: the rescue only counts if it was saved before the disaster. If that stings, read our BitLocker recovery key guide next and check where your key is now, not later.

One locked account is a warning shot

If today cost you a morning, picture the owner's account locked, the owner the only admin, and the phone at the bottom of the harbour. Every business on Microsoft 365 should be able to answer one question instantly: if our main admin vanished today, who signs in tomorrow? Same Day IT is the emergency arm of Alien IT Solutions, 18 years in Sydney business IT. We get you back in where a path exists, we are straight where only Microsoft can act, and we set up the prevention list so one lost phone never stops the company again.

Questions people ask

I lost my phone with Microsoft Authenticator on it. How do I sign in?

Use any other method you registered: backup codes, a code to your mobile number, a second authenticator, or a computer you are still signed in on. If none exist, an admin can clear your MFA methods so you register the new phone fresh. No backup method and no admin above you is the hardest version of this problem.

I can't sign in to Office 365 but my password is right. What's going on?

A correct password that will not get you in usually means an MFA problem: a lost or wiped phone, a changed number, or an authenticator that never moved to the new handset. It can also mean the account is disabled or flagged. The fix runs through another registered method or an admin, not more password attempts.

The only global admin is locked out. Can Microsoft just reset it?

Not on the spot. Microsoft has to verify you own the business and the tenant before restoring admin access, and that process is slow and demanding by design: a fast door for a stressed caller is a fast door for an attacker. Expect documented proof of ownership and days rather than hours.

What is a break glass account?

A spare emergency admin account kept only for lockouts. Long random password, tied to no one person's phone, credentials printed and locked away offline. If the main admin is locked out, gone, or unreachable, you sign in with it and fix things in minutes instead of weeks.

Can an IT technician get my business back into Microsoft 365?

It depends. If any admin account is still reachable, a technician working with that admin can reset passwords, clear MFA and re-enable accounts the same day. If every admin is locked out, only Microsoft can restore access, and the technician's value is preparing the ownership evidence and rebuilding your security setup afterwards.

How do I stop this happening again?

Five things, all doable this week: a second emergency admin account stored offline, two MFA methods on every important account, backup codes printed, self-service password reset turned on before anyone needs it, and nothing hanging off one person's phone. Every one must exist before the lockout.

Locked out and the day is stopping?

Get a technician on it in minutes, remotely. We will work out which lockout you have, use every path that exists, and tell you straight if the only way runs through Microsoft.