Share via

Microsoft Authenticator Issue – Error Code 500121

Samuel 0 Reputation points
2026-05-14T22:51:43.5666667+00:00

Hello,

I have been locked out of my Microsoft 365 Administrator account right after changing the domain of the email address of the account. I am able to login in with an email and password and I am given a verification code, but the code does not show in the authenticator app. I am only given two options to verify my identity: "Approve a request on my Microsoft Authenticator app" and "Use a verification code." Like previously mentioned, the "Use a verification code" does not work. The former method displays a 500121 error code and does not allow me to go further. I am able to verify through secondary email to login and possibly reset the account in the authenticator app, but I am not given that option. Any help would be greatly appreciated and thanks for your time.

Best regards

Microsoft 365 and Office | Subscription, account, billing | For business | Windows
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sophie N 14,865 Reputation points Microsoft External Staff Moderator
    2026-05-15T00:10:38.7333333+00:00

    Dear @Samuel,

    I understand how frustrating it is to be locked out of your administrator account after a domain change. This issue typically occurs because the Microsoft Authenticator app is still associated with your old UPN (User Principal Name), creating a mismatch that triggers the Error Code 500121 (Authentication Failed).

    To resolve this issue, please follow these steps:

    Step 1: Clear Local Cache and Re-add the Account

    Since your email address changed, the app is likely trying to authenticate using the old credentials.

    • Open the Microsoft Authenticator app.
    • Select your account and choose Remove Account.
    • Close the app completely and clear the app cache (if on Android).
    • Log in to the My Sign-ins page using a browser (preferably in Incognito/InPrivate mode).
    • Select Add method > Authenticator app and follow the prompts to scan the new QR code.

    Step 2: Use the "I can't use my Microsoft Authenticator app right now" Link

    When prompted for the code, look for the link at the bottom of the sign-in box.

    • Click "I can't use my Microsoft Authenticator app right now" or "Sign in another way."
    • If you have a mobile number or secondary email registered, you should be able to receive a text or call to bypass the app requirement temporarily.

    If you are an Administrator and cannot access the 'Sign in another way' options, and your organization has other administrators, you can ask them to reset your MFA settings:

    • They should go to the Microsoft Entra admin center (formerly Azure AD).
    • Navigate to Users > All Users > Select your name.
    • Click Authentication methods > Require re-register multifactor authentication.
    • This will force the system to prompt you for a new setup the next time you log in.

    For more details, kindly refer to Manage authentication methods for Microsoft Entra multifactor authentication - Microsoft Entra ID |…

    If you are the sole administrator and cannot access your account via any other method, you must contact the Microsoft Data Protection team via phone. For security reasons, they are the only ones who can manually reset MFA for a "lone" admin account. You can find the local support number for your region here: Customer service phone numbers - Microsoft Support

    Please note that forum moderators have no control over user accounts, especially when it comes to logging in to your account, resetting your password, changing your access, etc   

    Here are some tips and an example of a prompt to help you navigate the IVR more effectively:   

    (When you call the support number, you may hear an introduction of about 30 seconds such as "you can visit the link...". You can ignore this introduction and wait until you are presented with the options. Then press "1" as a business email user, and again "1" for technical help.)     

    In some regions, the initial interaction may be automated, so here’s a general idea of how the conversation might go to help you prepare:       

    What kind of problem are you experiencing?          

    Answer: Authenticator          

    What products do you use?          

    Answer: Office 365 for business          

    Is this for an education or company account?          

    Answer: For companies          

    Are you an administrator?          

    Answer: Yes          

    Are there any other administrators in your organization?          

    Answer: No. I am the only admin in my tenant           

    Do you need a... Service request?           

    Answer: Yes. I need to create a ticket. Please send me direct to the Data Protection Teams.       

    During the phone call, you will need to provide the information associated with your subscription, such as your company name, billing details, phone number, and an alternate email address, etc. This information allows the Data Protection team to verify your identity and securely assist you in regaining access to your administrator account.     

    I hope this information helps you take the right steps to regain access to your account. If you have any updates or additional details, please feel free to leave a comment under this post. I’ll be happy to assist further within my scope.  

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Q&A Assist
    2026-05-14T22:52:00.1633333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Error 500121 and the looping between “Approve a request on my Microsoft Authenticator app” and “Use a verification code” indicate that the current MFA methods on the account are either misconfigured or blocked, and there is no usable fallback method exposed at sign‑in.

    Because this is a Microsoft 365 administrator account, recovery depends on whether there is another global administrator in the tenant.

    1. If there is another global administrator Have another global admin reset the MFA registration for this admin account so it can be set up again from scratch:
      1. The other admin signs in to the Azure/Microsoft Entra admin portal.
      2. Go to Microsoft Entra ID → Users → All users.
      3. Select the locked‑out admin account.
      4. Open Authentication methods.
      5. Select Require re-register multifactor authentication.
      6. Sign out and sign in again with the affected admin account; it will be prompted to register MFA again (scan QR code in Microsoft Authenticator, confirm sign‑in, etc.).
      This clears the old Authenticator binding (which is failing with 500121 and not showing codes) and lets the account enroll a fresh app instance and/or additional methods.
    2. If there is no other global administrator (only one admin on the tenant) In this case, self‑service recovery is not possible; Microsoft’s Data Protection / Tenant Recovery process must be used to regain access:
      1. Call Microsoft’s global customer service and support number for business accounts using the phone list in Customer service phone numbers - Microsoft Support.
      2. When navigating the IVR/agent, clearly state:
        • The issue is with Microsoft Authenticator / MFA.
        • The product is Office 365 / Microsoft 365 for business.
        • It is a company (work) account, not education or personal.
        • The caller is the only global administrator and is locked out due to MFA.
        • A Data Protection / Tenant Recovery case is needed to reset MFA for the tenant admin.
      3. Work with the Data Protection team to verify identity and ownership of the tenant; they can then reset the MFA methods on the admin account so new methods (including a fresh Authenticator registration) can be configured.
      If reaching support by phone is difficult, an alternative is to create a temporary trial tenant and open a support ticket from there, explicitly explaining that the ticket is for MFA reset on a different, existing tenant where the only global admin is locked out. This is described in detail in the referenced Q&A threads and is a supported workaround when direct access to the original tenant is lost.
    3. For end users (non‑admins) in an organization If this were a standard user account (not the only admin), the correct path would be to contact the organization’s Microsoft 365/Entra administrator and ask them to perform the same Require re-register multifactor authentication action on the user account, then re‑enroll the Authenticator app at next sign‑in.
    4. General notes
      • Repeated failed MFA attempts or unusual activity can cause temporary blocks; avoid repeated retries in quick succession. If a block is suspected, waiting and/or trying a different network can help, but in this case the core issue is the unusable MFA configuration on an admin account, which must be reset by another admin or by Microsoft support.
      • Once access is restored, configure multiple MFA methods (Authenticator, SMS, alternate email, etc.) and, for admin accounts, consider having at least two global admins to avoid single‑admin lockout scenarios.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.