Authenticator Embraces a New Method for Account Backup and Restore

My article about adding QR codes to the Microsoft Authenticator app for Entra ID guest accounts is one of the more popular on the Office365itpros.com site. Given the increasing use of multifactor authentication to protect Microsoft 365 accounts and the need for stronger authentication methods to replace insecure SMS-based challenges, it’s unsurprising that the Authenticator app is a popular choice. The app is easy to use and it’s a strong authentication method, so many boxes are ticked.

Where the Authenticator app falls down is when a user gets a new phone, either by choice or through necessity. The gloss of buying a brand-new iPhone is diminished by the pain of reconfiguring the authenticator app to regain access to accounts. Microsoft wants to remove that pain with a “more seamless and secure backup and restore experience using iCloud and iCloud Keychain.”

The change is reported in message center notification MC1111780 (8 July 2025) and will be delivered in an app update that’s expected to roll out in September 2025 with full worldwide deployment scheduled to complete in October 2025. Tenant administrators cannot affect the progress of the roll out, and the change is effective after the installation of the updated app on an iOS device (the Authenticator app also supports iPad devices).

Eliminating the Need for a Microsoft Personal Account

Today, the Authenticator app needs a Microsoft personal account (Figure 1) to backup account names and third-party time-based one-time password (TOTP) credentials used by sites like GitHub and Twitter (the site issues a challenge that is satisfied by a six-digit number generated by the Authenticator app).

Instead of using a Microsoft account for backup and recovery, Authenticator will use the iCloud keychain. Setup of new devices is therefore performed completely within the iOS ecosystem, so it’s smoother and less prone to error. Users don’t have to do anything to benefit from the update. It is enabled automatically if the device runs iOS 16.0 or later and the user’s iOS account enables iCloud and iCloud keychain. It’s likely that relatively few iOS users don’t have these components enabled. Apple is very successful at convincing iOS users to move to new versions of the operating system, so the iOS 16.0 requirement is unlikely to be an issue either, especially in corporate environments.

After the update, Authenticator backs up all account names and third-party TOTP credentials using the iCloud keychain. Nothing else is backed up, specifically Entra ID credentials are not stored, so after moving to a new iOS device, users must sign into their accounts to complete setup.

A Need for User Communication

During the period between now and September 2025, Microsoft will flag the upcoming change with messages in the Authenticator app to inform users about a “new way to backup your account” on its main screen. The settings screen will have a message about replacing the existing iCloud backup mechanism with an enhanced version. It’s possible that users will generate some help desk calls when they read these messages, so organizations should consider some proactive communications to explain what’s happening in non-technical, practical terms.

Finding iOS Devices That Might be Affected

With an eye on communications, the need exists to identify the users of iOS devices that might use the Authenticator app. One of the advantages of having a large repository of PowerShell scripts is the availability of code that can be repurposed. The trick is to figure out what bits to use.

After thinking about it, I decided to reuse some code to report user-preferred authentication methods to find users who’ve opted to use push-based methods. The devices in use can be Android or iOS, so it’s necessary to refine the set to select those who use iOS. The Get-MobileDevice and Get-MobileDevice Statistics cmdlets reveal the operating system used by devices that synchronize with Exchange Online with apps like Outlook for iOS. By checking the devices used by the folks who’ve signed up for push-based methods, we can find and report the people who are actively using iOS. You can download the script from the Office 365 for IT Pros repository. Some sample output is shown below.

Users of iOS devices that are actively in use
---------------------------------------------

User         UPN                                DeviceOS
----         ---                                --------
Jeff Guillet Jeff.Guillet@office365itpros.com   iOS 18.5 22F76
John James   John.James@office365itpros.com     iOS 18.5 22F76
Tony Redmond Tony.Redmond@office365itpros.com   iOS 18.5 22F76

This is a good example of using different sources of Microsoft 365 data to answer a question. Of course, you must know about the sources available to you, but that comes with experience.

Looking Forward to the Upgraded Authenticator App

I’m looking forward to the upgraded Authenticator app. My iPhone 14 is showing signs of age and it’s time to consider moving to a new iOS device (I’ve never used Android). If Microsoft’s promise is correct, the transition should be easier than ever before, and that’s a worthwhile change.

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365. Only humans contribute to our work!