Microsoft Authenticator App - restore on new phone?

Steel Contributor

What is the recommended workflow to restore the Microsoft Authenticator App on a new phone, in case a user loses his phone or receives a new phone?

6 Replies
As long as they still have access to the account to which the app data was backed, follow the steps here: https://support.microsoft.com/en-us/topic/bb939936-7a8d-4e88-bc43-49bc1a700a40
Unfortunately not. But the "old" phone is still available. I am trying to setup the backup, because we are going to exchange a few phones in our organization.

From what I see a personal Microsoft account (?!) is needed to back up the Microsoft Authenticator data. Is there no option to create a backup with a business account?
Also, Work Accounts are never completely backed up/restored. They need to approve the account sign in from the old phone or alternative method. I assune this is a security decision so that MFA methods for work accounts are not stord in iCloud for example for iOS devices.
Microsoft recommends abandoning Phone/SMS and switching over to Microsoft Authenticator. Personal accounts for backup is definitely not an option, and you say the account needs to be approved on a new phone.

What options do I have if a user loses his phone on a business trip?
If you allow SMS/Phone Call they can sign in using this method. If you ONLY allow Microsoft Authenticator the user needs to call the helpdesk to get their MFA methods reset and add a new Microsoft Authenticator on a new phone they get from somewhere. Of course, there are other alternatives too like FIDO2, Softeare/hardware OATH tokens but that is additional stuff.
But isn't FIDO2 or Software/hardware OATH tokens a better alternative, when SMS/Phone Calls are not considered secure? I don't see the point in having Microsoft Authenticator AND SMS/Phone Call, when Microsoft is telling you that SMS/Phone Call is not secure. This is undermining the security of having Microsoft Authenticator as second factor.