Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
7,345 questions
Authenticator: "scan the qr code provided by your organization to finish recovering this account" - where does org (me) get this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 32%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBJ%3C/text%3E%3C/svg%3E)
Ben J
0
Reputation points
Testing this out for a client/friend whos upgrading several phones and migrating to InTune. Using authenticator to backup and restore tokens onto new devices. Though it completely defeats the point of "recovery", it DOES require you "scan a QR code".
I see that there used to be an item in https://account.activedirectory.windowsazure.com/ for "additional security verification", which SOUNDS like what this app "functionality" was meant to work with. But that is gone, presumably because of the azure > entra fry-gration
Recent learn.microsoft answers point to https://mysignins.microsoft.com/security-info - a page i've not once ever seen, but okay. The thing is if users cannot log in to this page, they cannot add a new auth method. I tested this on my own account/tenancy. Logged out online, deleted my authenticator, restored. My authenticator account was locked, demanding an approval from my account, itself demanding approval from my authenticator.
I've checked the labyrinth of React components we call "Entra" for everything dealing with MFA. I tried using the > User > Authentication > Require re-register multifactor authentication AND the "per-user multifactor authentication" > re-register MFA (available from 365AC:users > multi-factor authentication). One of them did nothing that i could tell (re-logged and was requested to approve via authenticator as normal), the other just deleted my MFA config and marked my account not capable of MFA. Despite conditional access rules requiring MFA, I got no prompt to re-register any MFA..
So what exactly is the "approved" process here? Google Authenticator? Client is remote, and users are spread all over the place - they're not office workers. Between the whole "need 90 personal MS accounts to back authenticator up to iCloud" and this, they're starting to doubt the InTune migration. Any MSPs or consultants here who have been through this process?
Sign in to answer