How to Back Up MFA Credentials with Microsoft Authenticator Backup

Your MFA credentials are always excluded from your device’s usual iOS or Android backup precudures. So, Microsoft Authenticator MFA backup has to be enabled and scheduled using your Microsoft Authenticator App. This way, your MFA keys can be protected with enhanced securitization. When you configure Microsoft Authenticator MFA Backup, your app will include MFA accounts for other services that you rely on for OTP (One Time Passcode) or TOTP (Time-based OTP), too.

Microsoft Authenticator Backup features

Microsoft Authenticator Backup procedures are easy to schedule. You only need to be able to provide Microsoft Authenticator with your credentials when you configure backups for either a Microsoft personal account, iCloud account, or Google Drive account. Features include:

• You can connect to a Microsoft personal account, iCloud, and Google Drive.
• iCloud and iCloud Keychain can handle backups automatically.
• Work and school accounts are supported.
• No admin action is required for organizations.
• Third-party TOTP credentials (like Google, Amazon, etc.) are included.

How Microsoft Entra Portal Supports MFA Management

Microsoft Entra ID (formerly Azure AD) uses a unified Authentication Methods Policy. This service is included in Microsoft 365 and it streamlines MFA setup and backup across all user types. Remember, Microsoft Authenticator MFA is a user-level process. This means that Global Administrators cannot configure MFA for you. Entra ID facilitates:

• Centralized control of MFA, SSPR, and passwordless options.
• Granular policy settings for different user groups.
• Future-proof integration with Microsoft’s evolving identity tools.
• Easier onboarding and recovery for users.

Configure Microsoft Authenticator Backup with a Microsoft Personal Account

• Open Microsoft Authenticator App on your mobile device.
• Click open the Hamburger icon (usually top right of your App’s screen).
• Click open Settings from the drop down list.
• Input your Microsoft (personal) account credentials.
• Review preferences and save settings.

You should review app settings periodically in future to check when your credentials were last backed up.

To recover your credentials using a new iOS or Android device, install Microsoft Authenticator, open the app, and sign into your personal Microsoft account. You will be prompted to restore accounts from backup. Once restored, you may need to re-verify some accounts, depending on 365 organizational policies/rules.

Configure Microsoft Authenticator Backup: iOS/iCloud Backup

• iOS 16 or later is required – check your device first.
• Enable iCloud and iCloud Keychain in your mobile device’s device settings.
• Open Microsoft Authenticator.
• Go to Settings > iCloud Backup in the Authenticator app and enable backup.
  • This will back up your account names and TOTP (Time-based One-Time Password) credentials to iCloud.
• To verify that backup is enabled:
  • Open Authenticator > Settings > iCloud Backup.
  • Confirm that the status shows “Backup is on”.

You should review app settings periodically in future to check when your credentials were last backed up.

To recover your credentials with a new iOS device, install Microsoft Authenticator and sign in to iCloud in App settings. Your Microsoft Authenticator accounts will be restored automatically. Once restored, you may need to re-verify some accounts, depending on 365 organizational policies/rules.

Configure Microsoft Authenticator Backup: Android/Google Drive Backup

• Open Microsoft Authenticator.
• Tap the three-dot menu > Settings.
• Enable Cloud Backup.
• Sign in to Google Drive when prompted.Go to Settings > Cloud Backup in the Authenticator app and enable backup.
  • This will back up your account names and TOTP (Time-based One-Time Password) credentials to iCloud.

You should review app settings periodically in future to check when your credentials were last backed up.

To recover your credentials to a new Android device, install Microsoft Authenticator and sign in to yoru Google Account in App settings. Your Microsoft Authenticator accounts will be restored automatically. Once restored, you may need to re-verify some accounts, depending on 365 organizational policies/rules.

Alternative Method: No Microsoft, iCloud, or Google account?

If you do not use iCloud or Google Drive, or you are blocked by Microsoft account prompts, follow this manual method:

1. On your old device, go to Microsoft MFA Setup.
2. Authenticate and access the Security Info page
3. Click Add sign-in method > Microsoft Authenticator
4. On your new phone, install Authenticator and select Work or School account.
5. Scan the QR code shown on your computer.
6. Approve the authentication request on your new device.
7. Remove the old device from the Security Info page.

This method works for users who only use work accounts and want to avoid linking personal Microsoft accounts. However, it is not as robust as the settings detsailed above and should be considered as an option of last resort. For instance, this option might only be in contemplation if you had already lost your old device, which you need for this workflow. Instead, use one of the options above.

If your organization allows SMS as an MFA method:

1. In the Security Info portal, click + Add sign-in method
2. Select “Phone”
3. Enter your mobile number and choose Text me a code
4. Enter the verification code received via SMS when your mobile phone receives it

SMS is considered less secure than app-based authentication. So, by default, Microsoft Authenticator app will use MFA using either available WiFi or mobile phone signal to authenticate your Microsoft 365 sign-ins. SMS is a valuable backup method—especially if your primary device is unavailable.

Sometimes, it helps to include a second mobile device to authenticate your Microsoft 365 sign-in. This might be necessary where authentication is necessary from two geographically separate locations. In this situation, the same mobile phone cannot be at the each location simultaneously. Also, a second phone might help avoid lockouts. This is optional, and not usually necessary However, if you need to include a second device for authenticating you can configure
Microsoft Authenticator MFA for 365 with this additional step:

1. Install Microsoft Authenticator on your second mobile phone
2. Log into https://mysignins.microsoft.com/security-info from your desktop/laptop computer
3. Add a new sign-in method and repeat the QR code scan process
   1. Be sure to scan the QR code with your SECOND DEVICE per the workflow outlined above
4. Verify the second device by approving a test notification

This ensures you can still access your account if your principal mobile phone is lost or damaged.

When SMS is enabled, notice that when trying to sign in with an Autheticator code you will find options in your Authenticator pop up that provide for authentication by other means. This way, if MFA does not authenticate, you can opt to receive a conventional SMS/text.

Microsoft Authenticator Backup is a simple way for you to securely safeguard your MFA credentials. You can save your MFA credentials using your personal Microsoft account, iCloud, or Google Drive. Microsoft Entra ID security portal centralizes authentication policies, so managing MFA is simple and robust.

Whether you are a Microsoft 365 user, IT admin, or someone who values account security, do make sure your Authenticator app is backed up. It is the best way to avoid lockouts and keep your digital life secure. You can check your Microsoft Authenticator App settings occasionally to check when your last backup was made.

Stress Test

Even with good backup practices, things can still go wrong. Read our guidance in this article to understand what happens if MFA credentials fail and you cannot access 365. We recommend you review this guidance to learn how to deal with an eventuality in situations where a Global Administrator’s MFA credentials fail. Usually, monitoring backups is adequate, but if you are responsible for a multi-user tenancy it is worth testing a scenario to understand how to respond if the worst happens.

For instance, much of the information that Microsoft would ask for to restore access is easily found in a Global Administrator’s 365 dashboard. If your Microsoft 365 dashboard is not accessible, though, how would you compile the information needed to help restore services?

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including website design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.