Forum Discussion

briarcliffar's avatar
briarcliffar
Occasional Reader
Jun 17, 2026

Sole Admin Locked out of Microsoft tenant -- MFA Error 500121

Sole Admin Locked out of Microsoft 365 Tenant- MFA Error 500121 using OTPKEY

Im the original administrator of a Microsoft 365 Business Basic tenant for the City of Briarcliff.

Tenant: mailto:email address removed for privacy reasons

Admin Account:

mailto:admin@briarcliffar.onmicrosoft

I can succesfully enter the correct password, nut MFA verification fails with error code 500121.

I have original microsoft 365 setup email showing the admin account

The microsoft purchase receipt and Order ID.

Access to billing email account

Control of the cityofbriarcliff.gov domain through Cloudflare.

The tenant was never fully configured beyond the initial setup process. I was able to sign in originally and reached the Connect and Configure your domain page but did not complete deployment.

I need assisstance with recovery of the sole administrator account and MFA reset for tenant. I can provide provide proof of purchase, original setup email, billing information, and proof of control of cityofbriarcliff.gov

 

admin
microsoft 365
microsoft 365 admin center

1 Reply

  • Sherryberry's avatar
    Sherryberry
    Occasional Reader
    Jun 17, 2026

    Hey, sorry you're dealing with this, lockouts like this are honestly one of the most stressful tenant situations out there. The good news is it's recoverable.

    Quick context on 500121: it means the MFA step itself is failing, not your password. So usually the registered method is gone or broken somehow, like a wiped phone, the Authenticator app got deleted, or number matching isn't completing.

    Before going down the support route, a couple of quick things worth ruling out. On the sign in screen, try "I can't use my Microsoft Authenticator app right now" or "Sign in another way" in case there's a fallback method (SMS, call, backup code) still registered that you've forgotten about. I'd also test it in an incognito window or on a different network, since I've seen 500121 turn out to be a temporary policy or cache issue rather than a real lockout.

    If you genuinely are the only Global Admin and have no working second factor, there's no self service path here (it's intentional, for obvious security reasons), so you'll need Microsoft support to reset MFA on the account. Since you can't sign in to raise a ticket, you'll have to call in. The Microsoft 365 billing/subscription line can route you to the right identity team. When you get through, be specific: "I'm the sole Global Admin, locked out by MFA error 500121, and I need MFA reset on my account." That phrasing tends to get you to the correct queue a lot faster.

    One thing to have ready: they'll verify that you actually own the tenant, so line up your tenant ID, the domain (you may be asked to add a DNS TXT record to prove ownership), and your billing details. If you happened to purchase through a CSP/partner, reach out to them first, they can often sort this out faster than going direct.

    Once you're back in, I'd really recommend setting up a dedicated break glass global admin account and registering a couple of backup MFA methods on your own account too, so a single lost device can never lock you out again. Happy to share how I usually configure the break glass account if that'd help.

    Hope you get back in soon, let us know how it goes!