I’ve written previous blogs on why you need MFA enabled on your accounts and an update to the user experience from Microsoft. So, now we can assume you have MFA set up for yourself and your end users and they are using the Microsoft Authenticator app as their default secondary form of authentication. However, that once shiny and new cell phone is looking old and tired. It doesn’t keep a charge like it used to. There’s one too many cracks on it. Then your carrier offers you a great new deal on a new phone that you can’t pass up. What happens to all those accounts set up in Microsoft Authenticator on the old phone? How do you transfer them to the new phone?
Before the new phone transition…
Well, before you turn that old phone in, hang on to it, as it will make life easier to transition to using Microsoft Authenticator on the new phone.
First, from the old phone, make sure cloud backup is turned on. Cloud backup requires a personal Microsoft account and for iOS devices also an iCloud account. Because iOS devices store the backup in iCloud and Android devices store the backup in Microsoft’s cloud, this process will not work if you are changing from iOS devices to Android or vice versa.
Also, on your new phone, don’t set up any accounts in Microsoft authenticator yet. If there are any, then you won’t be able to restore from a backup.
Confirm you have Cloud backup enabled. While you are in there, consider turning on App Lock. It requires a fingerprint or pin entry (whatever is set for your screen unlock security) for each actual use inside of the Microsoft Authenticator app.
Transitioning Microsoft MFA to New Phone
Now from the new phone, open the app and click on Begin Recovery.
Sign into the recovery account used in the first step. Also turn off Battery optimization while in the app on the new phone. When Battery optimization is on, the phone may prevent Microsoft Authenticator from doing steps it needs to do in the background such as download email from an MFA protected account.
Now that the accounts are recovered, you may notice some with a red warning exclamation point and “Action required” notice:
These accounts will need further evidence that you are who you say you are.
This is where it is handy to have your old device still connected. Go ahead and sign into your personal security section at Microsoft. Depending on your tenant’s setup, you may have the old experience:
Or the new experience:
If you have the old experience, you would click on the “Set up Authenticator app” button. If you have the new experience, you would click on “+ Add method.” Walk through until you have the QR code presented on the screen. Then from your new phone scan the QR code by clicking the “Action required” text. This adds the credential needed to your new phone, and it adds this device as another approved device for the Authenticator app.
It would be a great idea to do some housekeeping while in this section. From the old experience screen capture, there are three entries for the “Authenticator app,” meaning there were three different devices set up for MFA for this one account. It is likely that two of those are old devices and can be safely deleted. Make sure the label next to the one you want to delete is truly the device you no longer use and click Delete.
If you are unsure, Google the name of the device and it will likely give you a plain answer of what type of device it is.
Now that you are set, make sure it works! Sign out of your “Sign Ins” page. Close your browser (yes all of them), and open a new browser and navigate back to a page that would prompt for MFA. Either https://portal.office.com or https://aka.ms/MFASetup are good choices. Sign in, get that MFA prompt, and you are set.