Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Cloud backup and recovery for the Microsoft Authenticator app on Android now available
Published Sep 12 2019 09:00 AM 72.5K Views

Howdy folks,

 

I’m excited to announce that cloud backup and recovery for the Microsoft Authenticator app on Android is now available. This means Android users can now back up their account credentials to the cloud, and then easily and securely transfer them to a new device when needed.

 

Try it out!

If you don’t have the Microsoft Authenticator app yet, see Use Microsoft Authenticator with Office 365 for information on how to download and set up the app. Over the last few weeks, we’ve been rolling out the feature and it’s now 100% available for version 6.6.0+. Once you update your app, you can test the new feature out.

 

Turn on backup

To turn on the Microsoft Authenticator cloud backup, open the app and go to Settings. Under Backup, set the Cloud backup toggle to On.

 

Microsoft Authenticator app 1.png

 

Once you turn cloud backup on, your data is encrypted and stored with your personal Microsoft account. Your account credentials stay updated when you add, delete, or edit your accounts.

 

Recovery on a new device

To recover your account credentials on a new device, tap the Begin Recovery button and sign in using the same personal Microsoft account as your previous device.


Microsoft Authenticator app 2.png

 

After you sign in, your OATH verification codes for your third-party accounts and personal Microsoft accounts are available. You also can re-enable push notifications for your personal and work or school Microsoft accounts.

 

If you have additional questions, check out our Microsoft Authenticator docs.

 

Test this feature out and let us know what you think! We always love to hear your feedback and suggestions. Let us know what you think in the comments below.

 

Best regards,

Alex Simons (@Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

 

61 Comments
Steel Contributor

Awesome! Can you explain a little more on how the backup is secured? For example, if someone can login using your Microsoft (Personal) Account, will they be able to get the backup restored to any device they want?

 

Also, what are the plans to enable backup to Microsoft Work Account (that is Office 365/Azure AD account), even though I realize this can present a catch 22 scenario.

 

Any plans to have these settings managed using Intune App Protection Policies so we can enforce settings, for example disable/enable this feature including ”App Lock”?

Microsoft

Hi @Jonas Back, the backup is secured with your personal Microsoft account credentials. So yes, if someone can login to your account, and also successfully complete two step verification for your account, they can restore your backup on any device.

 

Right now, there aren't immediate plans to enable backup for Microsoft work accounts, because we need a mechanism for admins to turn cloud backup off. However, we are currently working on a mechanism to allow admins to enforce other settings, like "App Lock". Admins won't be able to enforce settings through App Protection Policies. When we did the investigation, we found it didn't make sense to go that route, because some of the Intune App Protection Policies conflicted with Authenticator. For example, through APP, you could require MFA to open an app, but Authenticator is your mechanism for MFA, and so you get into a chicken-and-egg scenario. Instead, there will be a way to apply settings specifically to control the behavior of Authenticator.

Brass Contributor

Great feature. I was hoping for this feature for so long. Thank you for delivering this 

Copper Contributor

@Olena Huang thank you for the detailed response. Really well summarised and I only wish that more feedback like yours (level of detail) is provided when launching new features and capabilities. Great content. Thanks again.

Brass Contributor

How could I choose with which account I want backup my settings to the cloud?

Microsoft

@mozilla0 If you have multiple personal Microsoft accounts added to the app, when you enable backup, you'll be prompted to choose one of them to save your backup to.

Steel Contributor

@Olena Huang Thanks for the clarification. I don't mind backing up to personal Microsoft Account (or iCloud for that matter on iOS) but I suspect some securityminded customers would want to force users to backup to their OneDrive for Business or simply blocking this feature completely since we can't force nor make sure the user's personal Microsoft Account/iCloud is secured properly.

Microsoft

@Jonas Back thanks for your feedback. Going forward, we probably will keep the backup tied to the personal Microsoft account. End users shouldn't have to back up all their personal accounts to OneDrive for Business, as we make the promise that their admin won't get access to their personal credentials. However, for security minded customers, we definitely want to give the option to block the feature completely for work/school accounts, if they don't feel the user's personal Microsoft account/iCloud aren't properly secured.

Copper Contributor

@Olena Huang Where is the Microsoft Authenticator data stored, and how can i access it? I would like to make a local backup on usb drive, to be double safe.

 

Best Regards

Piotr Burzała

Microsoft

@CthulhuTactical the backup is stored with Microsoft on Android. (On iOS, it's stored with iCloud). Because of security reasons, it's not accessible anywhere except the Microsoft Authenticator app, so you can't make a local backup to a usb drive at this time. Thanks for the feedback.

Copper Contributor

@Olena HuangThanks. Well that's a bummer, but i'm still going to use the app, since unlike the google authenticator this one is still updated. I hope microsoft database security is as good and refined as their windows product :).

 

Best Regards

Piotr Burzała

Copper Contributor

Hello @Alex Simons (AZURE) , how are you ? :)

 

 

I did the test below and it didn't work for this use case (iPhone full restore from iCloud). Maybe we will have the same case using Android (i'm still testing). The restore is only working if I delete the app and reinstall in the same device or moving between devices, but not when I perform a full iPhone restore in the same iPhone.

 

iOS 13.2.2 / iPhone 11

 

steps:

1) installed Microsoft Authenticator app

2) setup personal account (@hotmail.com)

3) added 2 records (facebook and google)

4) performed backup to iCloud using backup feature of Microsoft authenticator app

5) performed iPhone backup using iOS iCloud feature

6) reinstall iPhone using iCloud backup

 

After the restore, I tried to follow the "Begin Recovery" procedures of Microsoft authenticator app, but I received the message that I don't have a backup available in my iCloud. But I have the backup.

 

Any ideas ?

 

Regards,

 

Weber Ress

 

Microsoft

Hi Weber Ress,

 

I'm not sure what the issue might be, just from reading your description. Feel free to reach out to me on twitter if you'd like to debug more.

 

Thanks

Olena

Copper Contributor

@Olena Huang just lost my iOS backup as well. Double checked before resetting my iPhone X that Authenticator was backing up to iCloud - did the reset and now get "There is no backup stored in your iCloud account" when clicking "Begin recovery" - I'm devastated :sad:! Any troubleshooting appreciated. Have given you a follow on Twitter. Thanks!

Brass Contributor

Having just been through a phone upgrade, I can tell you that this was a GIANT pain. I have 14 Office 365 accounts and a personal MS account setup in Authenticator and it took me at least two hours to get them all back up and running, and it would have taken even longer if I hadn't still had the old phone. The personal MS account restored from backup, and the Office 365 accounts still all needed to be reshown QR codes, which meant logging into the account, etc. People change phones, they do it a lot, and it needs to be easier than this.

Microsoft

Hi @solmssen , sorry for your trouble. We currently don't back up the O365 accounts because we want to let admins decide if the end user is allowed to back up the account. We are working on giving admins the capability to manage the app right now. Once we have that, we can turn on backup for O365 accounts.

Microsoft

@Stefan, so sorry that you had that happen. How long did you wait in between turning on backup and trying to recover on the device? Perhaps the window of time was short and the backup hadn't uploaded to the cloud yet. Feel free to message me privately on twitter if you want to debug more.

Steel Contributor

@Olena Huang Could you clarify what you mean with that you don’t backup Office 365 Accounts? 

 

I have around 40 Office 365 (Azure AD) accounts in my iOS Authenticator (different customers, different tenants) and soon switching phone. Are you saying these accounts will not be restored when I switch to the new phone?

Brass Contributor

@Jonas Back Yep, not real backup. If you have a personal Microsoft account set for backup, what you’ll get is the personal account will come back, and the list of your Azure AD accounts will come back but each one won’t work until you show it a QR code from the MFA set up screen on that account. I just did it with 14 accounts, I don’t envy your 40. 

Steel Contributor

@solmssen so if they can’t be used for login, how do you login for each tenant? MFA using OTP via SMS/textmessage instead? And then go to aka.ms/mfasetup an enroll again which will get you the QR code?

Brass Contributor

@Jonas Back in my case I still had the old phone so for each account I could go to the aka.ms/mfasetup, approve login on the old phone, add a new app, show the QR code to the app on the new phone which activates that app, and then delete the old phone. If I didn't have the old phone, I'd have to wait for the MFA Authenticator push to time out, then send code to new phone via SMS, then do the rest. Each one took about 3-4 minutes between all the approvals and changes, etc. The only thing the "backup" buys you is there is at least the unactivated stub for each account still listed on the new phone so you can just work through the list instead of having to go through add account, work/school, etc.

 

In my case, it was enough to make me rethink Authenticator. I know we're all supposed to use apps to avoid sim-jacking, but if I have to leave the backup SMS method enabled anyway because if I lose the phone, I can't restore from backup and login without a backup method enabled, then why even bother with the app? It's nice to not have to type in codes, but I bet I used all the time I saved redoing all the accounts for the app.

Microsoft

@Jonas Back , yes, the O365 account credential is not backed up. Instead, we backup a placeholder to make it easier for the end user to recover on their new device. 

Brass Contributor

I thought I posted this, but yes, @Jonas Back  they restore a stub or placeholder entry, and that needs to be shown a new QR code to function. So you have to login to each account and add the new phone, then delete the old one. If you don't have the old phone, you have to use a backup method to approve login, presumably SMS to the number that is now on the new phone. The whole thing takes a few minutes per account.

 

The process is enough to make me rethink the usefulness of Authenticator. In general, I find it confuses my less-skilled users, who are used to SMS codes but the app is a little hard for them. Some of them have trouble multitasking on the phone (new iOS swipe stuff isn't obvious to them) to approve the login while setting up accounts. And if I have to keep a backup SMS method around in case I lose the phone, I'm not sure how Authenticator improves security, since I'm still vulnerable to SIM-jacking. It's nice not to have to type a code every time I login, but I'm sure that I used all the time I saved and more rebuilding 14 Authenticator accounts after changing phones, and you have 40!

 

I'll add that the MFA setup flow is not good - it adds a generally unneeded default App Password, and I have to go out and come back to aka.ms/mfasetup to delete that and add the Authenticator, it can't be done as part of the initial flow.

 

PS: sorry for duplicated content. I thought I posted above, but it hadn't shown up yet when I typed this.

Brass Contributor

Very nice update now I don't have to user other software to have my Authenticator Codes backed up. 

Copper Contributor
Hi, this sounds like a great feature. I am thinking of moving off Google precisely because you can't backup and recover codes there. But am I reading this right, that we can backup and recover our codes only on like device types? I cannot be the only one to have both Android and iOS devices. My phone is Android and my wife's is iOS (not to mention my iPad and work iPhone), and I'd like to have one consolidated setup so we both have all the codes in one place. This seems like a fairly typical situation. Do you have any suggestions for our situation? Thanks.
Microsoft

@GBisaga , thanks for your feedback. We hear you. Unfortunately, at this time, there's no way to do a backup and recovery across platforms. We'll definitely consider adding this functionality in the future.

Copper Contributor
Thanks Olena. This would be a huge feature. So far, Authenticator is actually one of my favorite Microsoft applications, and not being able to share backup/recovery is a major pain point. So if you get anything done on that, that would be such a killer feature.
Brass Contributor

After recovering to my new account, it is asking for the QR code on about half a dozen accounts.

Poorly executed feature if I need to do everything manually.

Microsoft

HI @kevisee , sorry for the difficulty. Due to security reasons, we don't backup any work or school Microsoft accounts. But thank you for the feedback.

Microsoft

I have a question around 3rd party apps?

 

We're providing the process here for your Facebook, Google, GitHub, and Amazon accounts, but this process is the same for any other app, such as Instagram, Netflix, or Adobe.

 

The key here is ‘ANY OTHER APP’

 

How do I add this functionality into my 3rd party app that doesn’t use Microsoft accounts?

Microsoft

@k-mack The process is similar for any 3rd party account you want to add. You need to go to the account's security settings, turn on MFA, and choose to add an Authenticator app. Hope this helps.

Copper Contributor

Have the restore issues been fixed yet? I was so happy when I saw there was a backup to iCloud option. Now when I changed phones I:

1. Opened Microsoft Authenticator

2. Clicked on "Begin Recovery"

Was IMMEDIATELY given the error message: "There is no backup stored in your iCloud account. Make sure that you're signed in to the same iCloud account you used to create a backup."

Since it forced me to use my outlook.com email address to back it up how on earth do I add that "iCloud account"???
I tried readding my outlook.com account to it but then the "Begin recovery" option disappears.

I had moved 30 accounts to the authenticator app because it could back them up and will not be happy if they are all gone.

Microsoft

Hi @Stuart Riesen Did you have backup enabled on your old device? You need to go to the Authenticator settings page and enable it. Are you signed in to the same iCloud account on your new device as your old?

Copper Contributor

HI @Olena Huang I had backup enabled under Authenticator settings. It showed it was being backed up to my outlook.com account (like that's not confusing as hell). I am signed into the same iCloud account and it's not a new device it was just a restore to get some personal data back on the same phone.

Iron Contributor

How do I change the Recovery Account used for the backup?

 

My app has latched on to my work email address for 'Recovery Account' but I have all my personal accounts in the app.  I want to change where my backup is held to be my own 'personal' Microsoft account but there doesn't seem to be any way to change it.

Copper Contributor

Hi,

 

I followed the same procedure as another user above. That is:

 

1) installed Microsoft Authenticator app

2) setup personal account (@hotmail.com)

3) added all my private and work related records (10-15 perhaps)

4) performed backup to iCloud using backup feature of Microsoft authenticator app

5) performed iPhone backup using iOS iCloud feature

6) changed phone and reinstall iPhone using iCloud backup

 

And now I get "there is no backup stored in your iCloud account". I know one should have my QR-backup-codes for everything. But who needs that when you have backup in MS Authenticator, right?! Now I'm locked out from most of my accounts.

 

And yes, I am logged in on the same iCloud account on the new phone. And the old one is no longer accessable.

 

How can this be? And what can I do?

Copper Contributor

@Olean Huang I think you are missing the point made by @soallsmen. The person was referring to "migration" not "backup/restore". If Microsoft is not able to reconcile stepping on its own toes with its own products, fine it's the status quo as far as I'm concerned, but we do ask you think outside of the box and your own choices. Backup/Restore and it's constraints are NOT A SUITABLE MIGRATION SOLUTION! Think how to solve that problem for the Billions of users who change phones every 12/24 month cycles. Compared with Google Authenticator (GA) your solution sucks (coming from an IT/Microsoft professional). I migrated my GA account in three steps; 1) Go to settings. 2) Select "transfer accounts". 3) Scan the QR code generated by the GA app on the old phone with the GA app on the new phone. DONE! Run us through your solution for achieving the same again? 

Copper Contributor

@Olena Huang I think you are missing the point made by @sollmsen. The person was referring to "migration" not "backup/restore". If Microsoft is not able to reconcile stepping on its own toes with its own products, fine it's the status quo as far as I'm concerned, but we do ask you think outside of the box and your own choices. Backup/Restore and it's constraints are NOT A SUITABLE MIGRATION SOLUTION! Think how to solve that problem for the Billions of users who change phones every 12/24 month cycles. Compared with Google Authenticator (GA) your solution sucks (coming from an IT/Microsoft professional). I migrated my GA account in three steps; 1) Go to settings. 2) Select "transfer accounts". 3) Scan the QR code generated by the GA app on the old phone with the GA app on the new phone. DONE! Run us through your solution for achieving the same again? 

P.S. this board doesn't even have a post edit function to allow to edit typos post publishing. Much to improve @Pernille-Eskebo

Copper Contributor

I spent a day to move all my accounts from Authy on my iPhone, and the found out that Android and iOS backups are separate...Guess I need to spend another day to redo all the 2fa by scanning with both Android and iPhone at the same time..

Copper Contributor

Hi,

 

I have a question about this which I’m not sure has been answered. I have a single Microsoft account which I have setup 2FA for within Authenticator. Now, If I also use this account as the recovery account. What would happen if I lose my phone? How would I be able to recover the account if I can no longer sign in using 2FA? In this case am I supposed to have a separate Microsoft account to recover from? 

Copper Contributor

Hi,

 

Is there any update on the plans to backup the OTP data to a work account instead or personal ones?

 

Thanks

 

 

Copper Contributor

recovery process spins around it iphone 12 and does not work. Removed app and added again same issue

Copper Contributor

I can’t believe how poorly designed and executed this is!

Account transfer is and should be a trivial thing, which @Pernille-Eskebo not only messed up, but can’t even do at all between Android and iOS. How pathetic is that!

 

Copper Contributor

The "recovery" on this app is a joke.  99% of the accounts require you to rescan the QR code for it to work.  Meaning if you lose your device and restore the backup you will not be able to sign in to get the QR code.

Copper Contributor

Today I lost access to all my accounts/codes stored in the Authenticator app. When I click "Start Recovery" I get a message "There is no backup stored in your iCloud account". I had backup turned on on my old phone before switching to a new phone and I was able to get recovery from backup in the past. Is there a way to check if a backup exists? Where it is stored in iCloud? 

Copper Contributor

I too lost access to all my accounts because of a bug/glitch in the Microsoft Authenticator app's recovery system. I had the "Backup to iCloud" option enabled, and I even tested it (backed up & restored a couple of times) before I continued adding accounts to the app. I really trusted the app to keep all my accounts safe.

 

Then my iPhone's battery died, and after a sequence of stupid events, the Apple Store where I took it to be serviced ended up trashing my device. They gave me a new iPhone and I restored everything from an iTunes backup I had made hours before.

 

And now I need Microsoft Authenticator to get to all my accounts again -- except it can't find the **bleep** backup in my iCloud account. Someone else in a similar situation posted logs showing that the app itself deleted the backup: https://docs.microsoft.com/en-us/answers/questions/432592/authenticator-restore-on-iphone-failed-bac...

 

WTF Microsoft? What do I do now? Trusted the wrong guys, again. Should have gone with Google Authenticator instead like everyone else. 

Microsoft

@MarcioVieira We have made some improvements in restore flows in last few releases. Could you please share logs from your Authenticator app? To share logs, Please go to Menu -> Send feedback -> Having an issue? and share the generated incident ID here. You can also reach us directly at authappfeedback@microsoft.com. Thank you. 

Copper Contributor

@Sirisha_Dudiki


I just suffered with this issue when upgrading to a new iPhone. I was stung a few months ago when I restored my previous phone from backup too.  Both times made absolutely sure the backup was enabled in the Authenticator app and the date/time of the backup was current.  Sure enough, fired up the authenticator app and got "There is no backup stored in your iCloud account. Make sure that you're signed in to the same iCloud account you used to create a backup".  Same apple id both times. 

 

From the logs it looks like the app is deleting the backup on first run when it detects no "MSA" account.

 

2021-09-24 21:21:20.750         VERB                PhoneFactor    0          TID=13             219 (updateCloudBackupIfNeeded()) There is MSA backup metadata, but the MSA account is gone. Delete backup.

 

2021-09-24 21:21:20.750         VERB                PhoneFactor    0          TID=13             148 (deleteBackup(backupName:completionHandler:errorHandler:)) Deleting backup with name Backup

 

2021-09-24 21:21:20.751         VERB                PhoneFactor    0          TID=13             113 (delete(containerIdentifier:completionHandler:errorHandler:)) Deleting a CloudKitContainer with name:Backup type:MicrosoftAuthenticatorBackup from the CloudKit storage.

 

Submitted a ticket through the App, hopefully someone is looking into this, but I’d say it’s not been working for several months.  Incident RMCHXANW. 

 

Copper Contributor

@MarcioVieira We have made some improvements in restore flows in last few releases. Could you please share logs from your Authenticator app?

@Sirisha_Dudiki I hope the logs shared by others here will be enough for you guys to fix your software. I can't provide logs anymore because I deleted the Microsoft Authenticator from my phone and from my life, and I don't want to see it ever again. Of all features you guys could be "improving" with user feedback, *this* should not be one of them. 

 

After spending over an hour on the phone with Microsoft tech support, they blamed Apple for not saving the backup and told me to contact them instead. But, as @Rob_Targett and others pointed out, the backup is actually being deleted by Microsoft Authenticator itself. Out of panic, I did open a ticket with Apple, who stayed on the phone with me troubleshooting for over 2 hours. They connected me to an iCloud engineer who looked everywhere and still couldn't find the **bleep** backup file.

 

So, I gave up. I'm now in the process of contacting all organizations and websites I had codes for, to convince them of my identity. It will take weeks to unlock an investment banking account (manual review), but other systems are a little easier to deal with so hopefully I'll have everything back by the end of October. Sigh.

 

Lesson learned, I'm starting to use Google Authenticator from now on. I know it probably has some issues too, but apparently it got the basics right. Also, it allows you to save a key to recover your codes in catastrophic cases, which makes a lot of sense and is something Microsoft should do too.

 

Copper Contributor

You've got to be kidding me - just been through the same stuff.

Happy MS Auth user for ages, had to have my iP12 serviced. Restored to a rented iP6s without a hitch (last week Tuesday). Got my phone back, went to restore MS Auth backup, getting "There is no backup stored in your iCloud account. Make sure that you're signed in to the same iCloud account you used to create a backup".

Is there a way to recover now, or am I lost? Had quite a few accounts in the app.

Version history
Last update:
‎Aug 19 2021 04:21 PM
Updated by: