Forum Discussion

CebicTech's avatar
CebicTech
Copper Contributor
Aug 29, 2024

Managing Multiple M365 Administrator Accounts with Microsoft Authenticator Backup

Hello Tech Community,

 

I am looking for some advice on how to efficiently manage and back up multiple M365 Administrator accounts using the Microsoft Authenticator app. As an IT Support professional working with multiple clients, I have a dedicated Global Administrator account for each client, and all accounts are secured with Multi-Factor Authentication (MFA) using Microsoft Authenticator.

 

Setting up each Global Admin account with the Authenticator app is fairly straightforward, but I’ve run into an issue when trying to transfer these accounts to a new smartphone. While the Microsoft Authenticator app does transfer accounts to the new device, it seems that MFA will no longer work unless you scan a new QR code for each account. However, logging into these Global Admin accounts to obtain the new QR code is not feasible since MFA is required, creating a bit of a catch-22.

 

I’d prefer not to resort to other authentication methods (SMS, email, etc.) for these Global Admin accounts, as it adds unnecessary complexity and potential vulnerabilities. Has anyone found a reliable solution for seamlessly backing up and transferring these MFA-enabled Global Admin accounts to a new phone without needing to re-authenticate via QR code? Any insights or best practices would be greatly appreciated!

  • I like that Microsoft Authenticator MFA cannot be restored. Allowing this would weaken security.  Yes this means I must redo the non-M365 Authenticator IDs when getting another iPhone. Protocol requires one to have a minimum of two admin IDs in a M365 account, thus another admin can setup a TAP (temporary access password) to have a user reset their Microsoft Authenticator ID. 

  • That's by design sadly, so you either have to have the "old" phone in the other hand, or use other methods. FIDO2 keys seems to be the industry standard nowadays.
    • CebicTech's avatar
      CebicTech
      Copper Contributor
      How do you use FIDO2 Keys to support MFA for multiple Global Administrator Accounts for different Tenants? I don't see that as an option when I set up MFA in M365.
  • PBeiler1's avatar
    PBeiler1
    Steel Contributor

    I like that Microsoft Authenticator MFA cannot be restored. Allowing this would weaken security.  Yes this means I must redo the non-M365 Authenticator IDs when getting another iPhone. Protocol requires one to have a minimum of two admin IDs in a M365 account, thus another admin can setup a TAP (temporary access password) to have a user reset their Microsoft Authenticator ID. 

  • CebicTech's avatar
    CebicTech
    Copper Contributor
    Quick update to bring this issue to a close. There is no way to have multiple M365 Global Admin MFA properly backed-up so they can be restored when moving to a new device. I was able to work with the Microsoft Data Protection Team to disable the MFA, but only after the vetted the Admin Credentials to prove I was the Gobal Admin. Going forward, I will create multiple MFA options for the Global Admin or create a backup Global Admin account for each M365 Tenant.

Resources