Microsoft Authenticator

[HCHTech]

A couple of weeks ago, I replaced my 16-month old Galaxy Z-Flip 4 because the screen protector (factory applied and non-serviceable) was delaminating from the fold area. This is a known issue I guess, but I have the phone insurance, so got a replacement. After moving the SIM card to the new phone, I used the Samsung Smart Switch app to move all of the data to the new phone. It worked almost flawlessly, I had a few apps that didn't move over, so I reinstalled those. To my surprise, Microsoft Authenticator restored without complaint and I continued life as normal. I've got maybe 70 or 80 accounts in the authenticator. I thought for sure I was going to have to recreate those.

Fast forward 2 weeks. The replacement phone's screen protector started to delaminate in exactly the same place - ugh. Well, I contacted the insurance vendor (Asurion) and they offered to just swap a new phone, no charge. Amazing. I got a call back in about 5 minutes, stating they didn't have any of that model in stock, and would I take a Z-Flip 5 instead? 256Gb vs. 128GB on the "4", bigger outside screen, next generation of processor. I agreed without hesitation.

So I received this new phone yesterday and went through exactly the same data transfer procedure as before. This time, MS Authenticator is less happy. All of the accounts restored, but every single M365 account (over half of the accounts I have are M365) now shows a red "Action Required" note, and if you open that account, it says "Action Required - Scan the QR code provided by your organization to finish recovering this account".

A bit of searching later, it seems there is no way to redisplay the QR code once 2FA has been setup for the account, so it looks like I'm going to have to individually delete these account, then go through the process of setting up 2FA again on each one. The old phone can still get the prompts if it is connected to wifi, so that will probably help, but still. What a mess.

Before I start down this path, is this expected behavior? Do I have any other choices other than redoing the 2FA on 40 accounts?

 

[phaZed]

I think that's the expected behavior. I've had to go through this process before.

Just some confirmation of the issue:

How to Move Microsoft Authenticator to a New Phone

Did you just get a new phone? You'll have to transfer your 2FA accounts if you use Microsoft Authenticator.

www.howtogeek.com

 

[britechguy]

Even though there's some trash talking here, this may prove helpful and enlightening: https://learn.microsoft.com/en-us/a...ransferring-ms-authenticator-to-another-phone

and possibly: https://learn.microsoft.com/en-us/a...o-transfer-microsoft-authenticator-to-another

I'm glad I chose 2FAS as my authenticator app at this point. I'd tried out Googles and set up Microsoft's for someone else, and just find 2FAS better in a number of respects, including ability to smoothly change devices.

 

[HCHTech]

I did try to remove and reinstall the Microsoft Authenticator app from my new phone, but got the same result with all M365 accounts broken.

So just in case someone else runs into this issue and has to re-authenticate every single M365 account in Microsoft Authenticator, here are the most-efficient steps as near as I can tell.

1. Remove internet access from your OLD phone, but power it up and bring up the Microsoft Authenticator and pull up the problem account
2. On the new phone, remove the problem account that was transferred from the authenticator
3. On your computer, login to admin.microsoft.com with the problem account
4. When you get the prompt to approve the sign-in request and enter the two-digit code on your phone, click on the link for "I can't use my Microsoft Authenticator app right now"
5. On the "Verify your Identity" screen that comes up next, click on "Use a verification code" (which, incidentally, is from your Microsoft Authenticator app, so the link "I can't use my Microsoft Authenticator app right now" is a bit disingenuous, haha. See, when you have to do a repetitive task over and over you start to pick apart the steps - try it, it's fun!
6. Enter the six-digit code from the authenticator app on your old phone
7. Once logged in, click on your user initials icon at the upper right and then click on the "View account" link
8. Dismiss the stupid Microsoft feedback popup, then click on the "Update Info" link on the "Security" card on the main screen
9. Click on the "Delete" link next to the Microsoft Authenticator" entry
10. Once that entry is deleted, click on the plus sign to "Add sign in method"
11. Choose "Authenticator App" and click "Add"
12. Click Next until you see the QR code
13. On your new phone, click the plus sign in the authenticator app to add a new account, click 'Work or School', then click "Scan a QR Code
14. Scan the code on the screen to add the new account
15. Click Next to verify and put the 2-digit code into the popup window on your phone, then authenticate with your face or fingerprint if that's how you have it setup.
16. The new account will be at the very bottom of the list (so keep scrolling if you have 80 accounts like me)
17. Click on the hamburger menu in the app and choose 'Rearrange Accounts', then drag the account up into the list where you want it. I have no idea why there isn't an option to alphabetize the entries in the app, but here we are. I have my 5 most-frequently-used accounts at the very top, then everything alphabetical after that. It's a pain when you add a new account, but makes using the app much easier day-to-day.
18. Back on your computer, click on the "Set Default authentication method" link to confirm that the Authenticator (Notification) is the default.
19. Make sure your phone number is on the sign-in method list, just in case, then you can log out of Microsoft on the computer. Both tabs, btw. I don't know why Microsoft insists on making you log out separately when you have more than one admin center going, but here we are. Oh, and be sure to select which account you want to log out of on their popup list of ONE. Geez, does nobody at MS think these things through?
20. IF %time% >17:00:00 {echo "Take a drink!" then GOTO "1."} else GOTO "1."

I have to reset just about 50 accounts. I expect it will take me the rest of the day. The best I can do is about 4 minutes per account, but that's with no interruptions, like I said, the rest of the day.

 

[phaZed]

Unfortunately. I guess it makes sense so that the accounts are not portable - hence - can't work on another device, as a "security feature" - but yeah, huge pain in the neck.

 

[thecomputerguy]

 

[britechguy]

as a "security feature" - but yeah, huge pain in the neck.

Which is precisely why so many of the modern security measures are despised by those who need something most, but not what's available. They'll often choose to "go without" because of just this sort of thing.

 

[HCHTech]

I guess it makes sense so that the accounts are not portable

The odd thing is that it worked the first time I transferred to the new phone - no re-registration necessary. Then I replaced my phone a second time in as many weeks. Maybe they give you once, but treat you with more suspicion if you're a repeat customer.

 

[britechguy]

can't work on another device

Why? Many of us have/use more than one device?

Another reason I love 2FAS (from their homepage): 2FAS syncs across your mobile devices.

Since I have to use biometrics to gain access to 2FAS, I should be able to set it up on as many mobile devices as I might choose to.

MFA that's not convenient is one of the reasons that MFA is resisted.

2FAS vs Microsoft Authenticator
2FAS vs Google Authenticator
2FAS vs Authy
2FAS vs Duo

 

[phaZed]

Why? Many of us have/use more than one device?

Another reason I love 2FAS (from their homepage): 2FAS syncs across your mobile devices.

Since I have to use biometrics to gain access to 2FAS, I should be able to set it up on as many mobile devices as I might choose to.

I am also on 2FAS per that thread some months back. I love it. 2FAS still gathers the keys/codes from the one device - it's just that it gives you the browser plugins and whatnot to be able to make API calls to request the code... but the "original device" is still the "one" that is doing it... it's just sending the code to other devices.

I would be all-for a 2FA that was portable - but I have not seen it yet - and the way 2F rolling codes are setup is by verifying the device and it's serials/secure enclave, etc.

 

[Sky-Knight]

Microsoft says... Microsoft Authenticator is a keyring, owned by the PERSON that uses it. It's a PERSONAL service.

The backup / restore feature relocates PERSONAL keys on that ring.

M365 accounts by default are BUSINESS keys, and are issued by the person who has control over that box of keys. (Person with the Password Aministrator role) Just like you can't get a 2nd key to the office's front door, or a replacement ID card... you need to get that token from someone authorized.

There is a configuration change you can make to the tenant to authorize users to duplicate their keys and let those restore processes work, but this is off by default, and it's off by default for a REASON. Never, should a business authorize an end user to change their tokens without the appropriate logging.

Fortunately, your users can access their profile at office.com, and enroll a new phone without any restore process at all, as long as they have their old phone around or ability to authenticate in another way. It's always been this way, it will always be this way, wishing it to be another way is rather silly. You can enroll as many authenticators on any given M365 account as you want and each and every one of them is a UNIQUE KEY with its own audit trail.

Plan ahead, or suffer... that's how authentication works. And sadly, it seems you've failed to plan on two key points.

I've NEVER seen a "transfer" of any kind work between phones, if that happened THAT is the bug, because that's not authorized.

Now, if you have an authenticator with 50 tokens in it... THAT is a problem too, and you should be using the Microsoft Partner portal so you can via GDAP permissions access your customer's tenants with your usual Partner login.

Stop logging into tenants directly... that's the pathway to doom and pain. If you must do this, enable TOTP, and enroll a password manager with it. This is acceptable for break the glass accounts ONLY, as shared credentials ARE BAD. Again, GDAP solves all of this. Let the Partner Center work for you and once that's going, activate M365 Lighthouse... you'll be glad you did!

 

[britechguy]

@phaZed,

We may be talking past each other, but take a look at the the above noted "versus Microsoft Authenticator" page, the section named Extra Features.

I read the sync and transfer features as being "these can be ported, at will" as well as being available on multiple devices. Perhaps I am incorrect.

 

[phaZed]

@phaZed,

We may be talking past each other, but take a look at the the above noted "versus Microsoft Authenticator" page, the section named Extra Features.

I read the sync and transfer features as being "these can be ported, at will" as well as being available on multiple devices. Perhaps I am incorrect.

We may be, lol.

Well, I'll be darned. My previous experiences moving from Google Auth->Google Auth (Broken phone) and Google Auth->2FAS Account Import are not the Same as 2FAS->2FAS New Device

2FAS for the win seemingly. I tried this out just now on another device and it was painless. OK then!

 

[Sky-Knight]

Google Auth -> Google Auth is a bit easier because it cheats.

When you move your number to a new Google device, you have to authenticate that device via several factors, and once that device is authenticated it's now trusted, and can inherit all your personal authentication tokens in the authenticator.

This isn't possible by Microsoft because Microsoft doesn't own the OS in question. But if the GSuite tenant is properly configured, any 2nd factor in there will need to be reset. That process happens via the usual password reset mechanism that's also heavily integrated into the mobile device. Incidentally, that fail-over process is also possible with M365 assets if you enable the tenant's self service password reset functionality, configure the tenant for that use, and then enroll the appropriate tokens into the account in question. The configuration of which is all virtually identical to the same setup on GSuite.

 

[britechguy]

I tried this out just now on another device and it was painless.

And do both the old device and new device continue to both function simultaneously?

 

[phaZed]

And do both the old device and new device continue to both function simultaneously?

They indeed do. Thank god for 2FAS lol.

 

[HCHTech]

I've NEVER seen a "transfer" of any kind work between phones, if that happened THAT is the bug, because that's not authorized.

Now, if you have an authenticator with 50 tokens in it... THAT is a problem too, and you should be using the Microsoft Partner portal so you can via GDAP permissions access your customer's tenants with your usual Partner login.

Yes, this has grown past the point where I should have converted to the correct way, it was so easy when I only had a handful, though. I'll need to take on THAT project, but I think I'll wait a bit until the pain of this one has faded - haha. I wonder if the first transfer worked because the phone model was identical...a fluke maybe.

The other 40 or so tokens are an assortment of Synology units, firewall logins, VPN logins, web accounts, etc. They do add up quickly. It seemed like a good idea to keep them all in one place, and the phone seems a better choice than a laptop for field work. If I were to start over today, I think I'd make the same [potentially wrong] decision.

 

[HCHTech]

Now, if you have an authenticator with 50 tokens in it... THAT is a problem too, and you should be using the Microsoft Partner portal so you can via GDAP permissions access your customer's tenants with your usual Partner login.

As all of my M365 customers are resold through AppRiver (probably moving to Sherweb, now), my partner ID is not currently listed on the partner relationships page for any of them. I suspect at the very least, I'll need to add that for management through the partner portal to work. Further, It doesn't look like you can just add another partner, though - partners are tied to subscriptions, which in my case already all have AppRiver as the partner. So this whole idea might might not be available to me unless I change the way I do business.

 

[Sky-Knight]

As all of my M365 customers are resold through AppRiver (probably moving to Sherweb, now), my partner ID is not currently listed on the partner relationships page for any of them. I suspect at the very least, I'll need to add that for management through the partner portal to work. Further, It doesn't look like you can just add another partner, though - partners are tied to subscriptions, which in my case already all have AppRiver as the partner. So this whole idea might might not be available to me unless I change the way I do business.

You can add as many partners as you want, they are not tied to subscriptions, though subscriptions can be tied to a partner. Adding the partnership allows the partner to sell subscriptions, and grands administrative access based on the permissions requested via the GDAP relationship. You cannot "just add them" via the customer's admin portal, you generate an invitation via your Microsoft Partner portal.

For the rest of your non-Microsoft stuff I HIGHLY recommend Bitwarden, it once paid can do TOTP token storage. I recommend further that you use the organization subscription of some sort so you can have the tokens stored in a company vault separate from your personal one, organized by client in separate collections, which in turn give you the ability to invite employees, contractors, or whomever else you need to those stored credentials on a per collection basis.

Then you just need to make sure you don't lose access to your personal vault, which can be MFA'd itself via FIDO2 key, or another TOTP authenticator that has a backup / restore function. Personally I use DUO MFA for this purpose, and it's the only thing I use DUO for.

 

[Fred Claus]

There are a lot of answers here but let me chime in. Don't you have recovery keys from the services that you had on the old phone? A lot of times these recovery keys can reactivate the Microsoft Authenticator connection.