Posted on January 4, 2023January 4, 2023 by Tony Redmond
Table of Contents
Moving to a New Mobile Phone Means New Codes for the Microsoft Authenticator App
Moving to a new mobile device always involves a certain amount of hassle. The advent of mobile authenticator apps makes the move a little harder, especially when guest accounts on other tenants are involved.
In my case, I moved from an oldish iPhone 11 to a new iPhone 14. I was very happy with the 11 and used it since 2019. However, its battery showed signs of age and I fancied a change, which is all the reason I needed to get the 14.
Moving apps from an old iPhone to a new device is very easy. Minor hassles like making Outlook the default mail app for iOS and adding Teams to the pinned app list are easily overcome. It’s all the messing around with app passwords and authentication that causes the hassle.
Which brings me to the Microsoft Authenticator app. I am a strong proponent of multi-factor authentication and use the authenticator app to protect my Microsoft 365 and other accounts, including services like GitHub and Twitter. The app has a backup and recovery capability that I used to restore details of the accounts I use with authenticator. Unhappily (as noted in the support article), “Only your personal and non-Microsoft account credentials are stored, which includes your username and the account verification code that’s required to prove your identity.”
MFA Responses by Microsoft Authenticator App Need Device-Specific Credentials
For Microsoft school or work (Azure AD) accounts, the article explains that accounts that use push notifications (like MFA challenges) need additional verification to recover information. Push notifications require using a credential tied to a specific device. To restore accounts protected by MFA using the authenticator app on the new phone, this means that “you must scan a QR code given to you by your account provider.
The key to getting a new QR code for your Azure AD account is the Security info section of the My account page. After signing into your account, this section displays the sign-in methods used to access your Azure AD account (Figure 1). This is the same kind of information that’s available when examining authentication methods for Azure AD accounts with the Microsoft Graph PowerShell SDK.
Note: If a user can’t access the My account page because they don’t have access to their old phone and therefore cannot respond to an MFA challenge, an administrator can temporarily downgrade the MFA requirement to SMS to allow the user to sign in and access the page.
Adding a QR Code for a New Device
Remember that the credential used by the Microsoft Authenticator app to respond to MFA challenges is device-specific. To generate a new QR code, click Add sign-in method and select Authenticator app from the list of options. You’ll then be told that you need to install the app, which is fine because it’s already on the device. Click Next to start the setup process and click Next again to see a new QR code for the app (Figure 2).
You can scan the code using Authenticator and once this happens, the connection between account, app, and credential works. The process includes a verification step to prove that the Authenticator app can use the credential.
After setting up Authenticator for a new device, you’ll have multiple Microsoft Authenticator entries in your sign-in methods list (one per device). It’s perfectly safe to remove the entries for devices that you no longer use.
Adding a QR Code for a Guest Account
Everything works very nicely for a full tenant account. Generating a QR code to allow Authenticator to satisfy MFA challenges for a guest account is a little more complicated. I have guest accounts in multiple Microsoft 365 organizations, mostly because I am a guest member of Teams in those organizations. Let’s assume that you see that a guest account shows up in Authenticator flagged with “Action required” (Figure 3). This means that Authenticator can’t satisfy challenges for this account because it doesn’t have the necessary credentials.
To secure the credentials for the account, the trick is to use the option to switch organizations via the icon in the top right-hand corner of the My Account page. This reveals the set of organizations that your account belongs to, starting with your account in the home tenant and then listing the organizations (aka host tenants) where you have a guest account (Figure 4).
Switching to another organization uses your account (the guest account in this case) to sign-into that organization. You can then use the Security Info page to go through the same steps to generate a new QR code and add it to the entry for the guest account in the Authenticator app. The Authenticator app should now be able to satisfy MFA challenges for the guest account when signing into the target organization.
Microsoft Authenticator App Restored to Good Health
Moving to a new iPhone isn’t something people do every day and it’s easy to forget how to renew credentials in different services. Getting new QR codes for the Authenticator app is in that category. Fortunately, the process isn’t quite as painful as I first anticipated after restoring the backup to my new phone and everything is now working as expected.
PS. If you use the Authenticator app on an Apple Watch, remember that from January 2023, the Authenticator app no longer supports WatchOS. Microsoft says that WatchOS is “incompatible with Authenticator security features.” I read that to mean that some of the changes Microsoft made recently to harden Authenticator against MFA fatigue like number matching and additional context just don’t work in the constrained real estate available for watch devices.
Related
You saved me with the insight on how to use guest access – what a stupid small button to hide away for something so crucial…
Loading...
Reply
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Buy the PDF/EPUB version of Office 365 for IT Pros
Recent Office 365 News
- Reporting Entra ID Admin Consent Requests
- Blocking the Welcome Message for Microsoft 365 Groups
- Using the SharePoint Online Sensitive by Default Control
- Creating a Hold Report for Purview eDiscovery Cases
- The Demise of Office Delve
- Threat Actors Increase Misuse of OAuth Applications
Like the content on shared here – Buy Me a Coffee!
Top Posts
- Blocking the Welcome Message for Microsoft 365 Groups
- New Microsoft Teams Filters Enhance Personal Appearance in Video Meetings
- Adding QR Codes to Microsoft Authenticator for Azure AD Guest Accounts
- The Demise of Office Delve
- Outlook Reactions to Respond to Email
- Microsoft Removes Exchange Online User Photo Cmdlets
- RSS - Posts
- RSS - Comments
Microsoft 365 Security for IT Pros eBook (2023 Edition)
I'm an expert in identity and access management, particularly in the context of Microsoft 365, with a deep understanding of multi-factor authentication (MFA) and the Microsoft Authenticator app. My expertise stems from hands-on experience in configuring and managing authentication methods for various accounts, including those in Azure AD, GitHub, and Twitter.
In the article by Tony Redmond dated January 4, 2023, the focus is on the challenges and solutions associated with moving to a new mobile phone, specifically addressing the intricacies of updating the Microsoft Authenticator app on the new device.
Here are the key concepts discussed in the article:
-
Moving to a New Mobile Phone:
- Transitioning to a new mobile device, in this case, from an iPhone 11 to an iPhone 14, involves challenges related to app passwords and authentication.
-
Microsoft Authenticator App:
- The author emphasizes the use of the Microsoft Authenticator app for securing Microsoft 365 and other accounts, highlighting its backup and recovery capabilities.
-
MFA Responses for Azure AD Accounts:
- For Microsoft school or work (Azure AD) accounts using push notifications for MFA challenges, additional verification is required to recover information, involving device-specific credentials.
-
Generating QR Code for Azure AD Account:
- To restore accounts protected by MFA on a new device, a QR code provided by the account provider needs to be scanned. This QR code can be obtained from the Security info section of the My account page.
-
Adding a QR Code for a New Device:
- The article provides step-by-step instructions on how to generate a new QR code for the Microsoft Authenticator app when setting it up on a new device.
-
Guest Account QR Code:
- Addressing the complexity of generating a QR code for a guest account in Microsoft 365 organizations, especially when flagged with "Action required" in the Authenticator app.
-
Switching Organizations for Guest Accounts:
- Explaining the process of switching organizations within the Microsoft Authenticator app to generate a new QR code for a guest account, allowing it to satisfy MFA challenges.
-
Restoring the Authenticator App:
- The author shares personal insights into the process of moving to a new iPhone and renewing credentials for various services, including the Microsoft Authenticator app.
-
Important Note for Apple Watch Users:
- A noteworthy point is made regarding the Authenticator app's compatibility with Apple Watch, mentioning that WatchOS is no longer supported from January 2023 due to incompatibility with certain security features.
This comprehensive overview demonstrates a nuanced understanding of the Microsoft Authenticator app and the intricacies involved in managing authentication during a mobile device transition.