How to Transition Users to Microsoft 365 Sign-In and Entra ID

by | Sep 4, 2025

Planning the Transition: Know Your Environment

Planning is decisive when you implement changes that affect daily IT habits. Before adopting Microsoft 365 sign-in, assess your current setup:

  • What types of licenses are in use? (Exchange Online, Business Basic, Standard, Premium, Enterprise)
  • Are users signing in with personal Microsoft accounts or local profiles?
  • Are devices running Windows 10/11 Pro or Enterprise?
  • Is Microsoft Intune available for device management?
  • Should this be a gradual change?

Understanding these factors will help you and your team understand what the onboarding process means for users. Microsoft 365 licenses support varying features,. For instance. Business Premium and Enterprise licenses include Microsoft Intune services. Apart from 365 Business Premium, other Business 365 license do not, and this will have a bearing on how Single Sign-On (SSO) rules, policies, and device management work.

To review our first article for an overview: Why Switching to Microsoft 365 Sign-In Matters for Small Businesses

Click open the headers below to learn about implementing Microsoft 365 sign-in. 

Step-by-Step: Onboarding Users to Microsoft 365 Sign-In

1. Communicate the Change Clearly

Start with a simple message to users like:

“We are moving to Microsoft 365 sign-in to improve security and simplify access to your work tools. This means that soon you will use your Microsoft 365 account to sign into your computer and Microsoft apps.”

Include:

  • Benefits (SSO, security, better data separation)
  • What to expect during the transition
  • Where to get help

2. Prepare Devices

Device configuration depends on whether the workstation is a new machine or if it is an existing workstiona.

For new devices:

For existing devices:

  • Backup important files.
  • Convert the device to Entra ID join via Settings > Accounts > Access work or school.
  • Remove personal Microsoft accounts from OneDrive and Office apps.

3. Migrate Content

Users often store business files in personal OneDrive or local folders. So, vetting content is crucial to avoid data loss and confusion. It is labout intensive too, and perhaps explains why Microsoft 365 Sign-in is necessary.  Help them:

  • Move files from personal OneDrive to OneDrive for Business.
  • Organize folders to separate personal and work content.
  • Use SharePoint for team-based storage when appropriate.

4. Enable Conditional Access and MFA

This stage depends on the license which governs your, or your user’s, Microsoft 365 account. The last step is available only where user have 365 Business Premium and 365 Enterprise licenses, which include Microsoft Intune. Set up policies in Microsoft Entra Admin Center to:

  • Require MFA for cloud access.
  • Block access from unmanaged or risky devices.
  • Enforce sign-in only from Entra-joined devices (if Intune is available)

5. Train and Support Users

Offer short guides or walkthroughs:

  • How to sign in with Microsoft 365 credentials
  • How to access OneDrive for Business
  • What to do if they’re locked out or need help

Power users are a terrific way to demonstrate end educate. Also, consider organizing a short Q&A session or creating a helpdesk channel in Teams as another ways to build confidence in this upgrade.

Common Challenges and How to Solve Them

Adopting Microsoft 365 sign-in across your team is likely to introduce some resistance. In our experience these are common friction points:

Challenge Solution
Users fear losing files Review existing folder/file methodology and support a plan for backup and migration
Confusion between personal and work accounts Educate on OneDrive for Business vs personal OneDrive
Resistance to change Emphasize security and ease of use
Devices not eligible for Entra ID join Upgrade to Windows Pro or use hybrid join

 

Why Resistance Happens—and How to Address It

Changing user behaviour is never easy. We are comfortable with our habit. We tend to resist changing habits because it means expending effort. Common concerns when switching to Microsoft 365 Sign-in include:

  • “Will I lose my files?”
  • “Do I need to reset my computer?”
  • “Why can’t I keep using my personal account?”

To ease a transition of this kind across an organization, it helps to:

  • On-board select power users first
  • Communicate the benefits clearly
  • Offer support for content migration wit experience gained by power users
    • Provide training or walkthroughs
Admin Tips for a Smooth Rollout
  • Start with a pilot group (e.g., IT or field engineers)
    • include IT support and select power users to front-run adoption
  • Use Microsoft 365 Business Premium for full device management via Intune
  • Monitor sign-in activity and device compliance in the Entra Admin Center
  • Document the process for future onboarding
Summary

Transitioning users to Microsoft 365 sign-in and Entra ID is a strategic move that improves security, simplifies access, and clarifies data ownership. While it requires planning and support, the long-term benefits outweigh the initial effort. With Microsoft 365 Sign-In, you can elevate compliance standards to more closely align with Enterprise standards.

For small businesses with mixed licenses, this change ensures that every user is part of a secure, unified environment—whether they’re using Exchange Online, Business Basic, Standard, or Premium. Lastly, Microsoft 365 Sign-in automatically takes care of significant compliance issues which are often beyond the budget of small business.

To review our first article for an overview: Why Switching to Microsoft 365 Sign-In Matters for Small Businesses

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including website design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.

Why Switching to Microsoft 365 Sign-In Matters for Small Businesses

by | Sep 3, 2025

Introduction: Microsoft 365 Sign-In

Small businesses users still sign into their Windows devices using personal Microsoft accounts or “local” Windows user profiles. This may seem convenient, it creates confusion between personal and business data, especially when using tools like OneDrive. Using Microsoft 365 Sign-in allows users to separate personal and business content by signing into Microsoft 365 at Windows startup.

What’s the problem?

Field engineers have long known that 365 users store business files on personal OneDrive or local drives, making it hard for business owners to enforce data governance. This blurred line between personal and professional content can lead to:

  • Data loss or leakage
  • GDPR compliance issues
  • Difficulty in managing business data on user devices remotely

Microsoft 365 sign-in bypasses Microsoft personal accounts

Now, logging directly into your Microsoft 365 account at Windows startup dedicates Windows directly to your Microsoft 365 services and content. Meanwhile, you can still operate your personal content by logging into your existing Windows “personal” profile as you need to.

Article focus and goal

This is the first of two articles for business principals, global admins, and team leads. In this article, we explain the risks of current habits, and the benefits  of using Microsoft 365 sign-in in the workplace.

Click this link to read the second article in this series: How to Transition Users to Microsoft 365 Sign-in and Entra ID

Click open the headers below to learn about Microsoft’s recent security improvements with Microsoft 365 sign-in. 

What Is Microsoft 365 Sign-In?

Microsoft 365 sign-in means using your work account (e.g., name@company.com) to log into Windows and Microsoft apps. When a device is joined to Microsoft Entra ID (formerly Azure AD), users authenticate with their business credentials at startup. This means that the Windows desktop is governed by your Microsoft 365 services, not your Microsoft personal account. For instance, when you use Microsoft 365 Sign-in to start your workstation, the desktop you log into is a work desktop which is controlled by Microsoft 365.

Using Microsoft 365 sign-in you can use Microsoft 365 to:

  • Use Single Sign-On (SSO) to Outlook, Teams, SharePoint, and OneDrive
  • Operate improved security through Conditional Access and MFA
  • Enable centralized device visibility for administrators

Basic Microsoft 365 Sign-in features are included in all Business 365 licenses. Business 365 Premium and Enterprise 365 licenses include enhanced features that enable advanced device management and other configuration options.

Benefits for Business Owners and Admins

Adopting Microsoft 365 sign-in across your user base offers clear advantages:

1. Security – Microsoft 365 sign-in:

  • enforces password policies and MFA
  • reduces risk of unauthorized access
  • supports admin-level remote wipe of business data

2. Productivity – Microsoft 365 sign-in:

  • enables seamless access to Microsoft 365 apps
  • means fewer login prompts
  • permits better collaboration through shared resources

3. Data clarity – Microsoft 365 sign-in:

  • Separates personal and business content
  • Ensures files are stored in the correct OneDrive for Business location
  • Simplifies compliance and auditing
Why Resistance Happens—and How to Address It

Changing user behaviour is never easy. We are comfortable with our habit. We tend to resist changing habits because it means expending effort. Common concerns when switching to Microsoft 365 Sign-in include:

  • “Will I lose my files?”
  • “Do I need to reset my computer?”
  • “Why can’t I keep using my personal account?”

To ease a transition of this kind across an organization, it helps to:

  • On-board select power users first
  • Communicate the benefits clearly
  • Offer support for content migration wit experience gained by power users
    • Provide training or walkthroughs
When Is the Best Time to Switch?

The idealtime to move a user to Microsoft 365 Sign-in is when mnew workstations are deployed. is during new device setup, where Entra ID join can be enforced from the start. For all users, 365 licenses need to be reviewed to understand what levels or conditional access and policies will be operative in a user’s new environment. For existing devices, a planned onboarding process is needed to:

  • Compare existing files stores and prepare for migration
  • Reconfigure sign-in settings
  • Educate users on the new workflow

Successful planning is decisive. Our experience is that a gradual or organic adoption of is the best way to keep disruption to a minimum.

Summary and Next Steps

Adopting Microsoft 365 sign-in is more than a technical upgrade — it is a strategic move toward better security, productivity, and data management. For small businesses with mixed licenses like Exchange Online, Business Basic, Standard, and Premium, this shift ensures that every user is part of a unified, secure ecosystem.

Click this link to read the second article in this series: How to Transition Users to Microsoft 365 Sign-in and Entra ID

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including website design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.

How to Set Up Microsoft Authenticator MFA for 365

by | Aug 31, 2025

Introduction: Why MFA Setup in Entra Matters

Multi-Factor Authentication (MFA) is the principal sign-in method for Microsoft 365 accounts. Microsoft Authenticator MFA for 365 setup establishes a vital layer of protection by requiring you to verify your identity using more than just a password. Your Microsoft 365 tenancy manages MFA from its Entra portal. not your Microsoft 365 admin dashboard.

This guide helps you understand how Microsoft Authenticator MFA for 365 setup works, including:

  • Logging into Microsoft Entra with your 365 credentials to configure Microsoft Authenticator.
  • Enabling SMS authentication (if your tenancy is configured to allow this).
  • Adding a second device for secondary/fallover access

Read our associated article discusses how to backup your MFA credentials. For support notes about restoring services to Microsoft 365 when your MFA credentials are lost, read this article.

Click open the headers below to learn how to create your MFA credentials. Please read through this entire article before starting the proceudure. Be sure to contact us for general advice if you are in doubt. Support options are available for professional assistance.

What Is Microsoft Entra and Why Use It for MFA?

MFA procedures are consistent with an industry move towards passwordless sign-ins. Consumer-level password protection in Gmail, Yahoo, and other platforms is convenient, but password protection alone is inadequate for meeting GDPR Compliance standards in commerce. Even consumer platforms like Gmail now encourage passwordless sign-in. MFA helps to:

  • Ensure your 365 account remains accessible
  • Helps build compliant GDPR practices
  • Reduce the risk of malicious infiltration and identity theft

Microsoft Entra centralizes your security settings, including MFA, passwordless login, and device authentication. If you are a Microsoft 365 user, you or your organization are already using Entra within your tenancy. So, you are not required to subscribe to Entra as an additional service for Microsoft Authenticator MFA for 365 setup.

Benefits of Using Entra for MFA

  • Centralized control over authentication methods
  • Enhanced security with multiple verification options
  • Flexibility to add or remove devices securely
  • Compatibility with SMS, app-based, and hardware token methods

Moving towards passwordless sign-in

The IT industry as a whole recognizes that password protection alone is flawed. So, MFA is increasingly adopted as industry players introduce secure passwordless security. This means that MFA, and similar technologies like 2FA, are here to stay. We can argue that you should adopt MFA to comply with GDPR. Instead, the bigger issue is the risk of catastrophic damage damage to your online identity and data. This way, the fact that MFA is “compliant” is incidental.

This is why MFA is the default sign-in method for Microsoft 365, so you and other users in your 365 tenancy users must configure at least one secure MFA method. This is most conveniently accomplished with Microsoft Authenticator app. SMS authentication is optional and we recommended that you use it as an secondary option for sign-in, especially if your tenancy supports SMS authentication. In situations where we have configured 365 MFA for you, or you retain us to support your Microsoft 365 tenancy, we usually configure support for SMS by default.

Step-by-Step: How to Set Up Microsoft Authenticator in Entra

reparation – what you need

MFA pairs your phone with your 365 account. So, you will need your mobile phone. Also, before you begin, check that your Microsoft 365 tenancy supports SMS authentication for end users and that you have access to your usual laptop or desktop computer. If you are not Global Administrator, you can check with your IT manager.

Allow for some flexibility in this workflow. For instance, it might be worth downloading Microsoft Authenticator App from either Apple App Store (iOS) or Google Play Store (Android) before you start. For instance, it is a good idea to check that your phone is capable of downloading Microsoft Authenticator before you begin. If your mobile phone is outdated or unsupported, Microsoft Authenticator App will not be available to you in your store. If so, consider upgrading your device or using SMS authentication.

 Workflow to Set Up MFA with Microsoft Authenticator for 365

  1. Log into Entra Security Info Portal with your laptop/desktop computer:
    1. Visit https://mysignins.microsoft.com/security-info
    2. Sign in using your Microsoft 365 credentials.
  2. Add Microsoft Authenticator:
    1. Click + Add sign-in method
    2. Choose Authenticator App
    3. Follow the prompts to install the app on your mobile device
    4. When you reach a screen showing a QR phone, set your computer aside with the QR code displaying on screen
  3. Configure your mobile phone:
    1. On your mobile device, go to the App Store (iOS) or Google Play (Android).
    2. Search for Microsoft Authenticator and install it.
    3. With Microsoft Authenticator App open:
      1. click + (i.e. add account) at top right or left of your screen
      2. click open the option to scan QR code
      3. Allow permissions for your app to use your camera
      4. Scan the QR code showing on your computer screen with your phone
      5. go back to your computer and click Next

microsoft authenticator qr code

Remember to click (below the QR code) on your computer after you have scanned the QR Code with your phone.

 

 

Once you have successfully scanned the QR code with your phone and clicked <Next> on your computer’s security center page (below the QR code), the process is complete. There are two more steps for you to take:

  1. Test your configuration:
    1. Entra will send you an MFA input code to test the setup as soon as the server detects the succesful QR scan. The procedure operates in the same way as SMS verification, but using Microaoft Authenticator App. The graphic at the top of this article demontrates what you can expect to see. Having gone to so much trouble to get this far, allow yourself the thrill of seeing this work – it is actually pretty cool!
  2. Review Microsoft Authenticator App settings, and also your mobile phone settings if necessary to choose personal preferences. For instance:
    1. You may want verification to include the added security of validating your fingerprint or retina.
    2. In some instances, your phone might ask you to sing into your phone before you can access Authenticator. Some people prefer this. Others prefer to bypass their phone sign-in screen so that they can respond to their MFA codes faster. This is a matter for personal preference.
    3. Lastly, you should enable backups and accept periodic updates.

Additional authentication methods using Microsoft Authenticator MFA for 365

The steps above are needed to minimally configure Microsoft Authenticator MFA setup. Read the next section to learn how to add optional authentication using SMS for redundancy.

Also, you can configure Microsoft Authenticator MFA for 365 with a second mobile phone. This is useful where in situations where an email account is shared between two geographically separate offices. Also, setting up Microsoft Authenticator MFA for 365 on an extra phone might be useful in situations where the first phone is at risk of loss or damage.

Create another Global Administrator account

Another way to protect access to your tenancy is to create another Global Administrator. You do not need to have a Microsoft 365 license to add a Global Administrator, and in large organizations the principal Global Administrator does not even use an email account – that way sensitive server-side functions can be handled without the usual risks associated with an email-enabled user. There are some considerations that need addressing to elevate privileges to enable some seucurity functions that are normally reserved for the tenancy owner. We can help configure a secondary Gloabl Administrator.

MFA - What To Do If You Change Your Phone

The easiest way to configure a new mobile phone is to do setup Microsoft Authenticator on your new phone while the old one is still working. With both phones available:

  • Log into your security info page with your laptop/desktop
  • Click + Add sign-in method
  • Choose Authenticator App
  • generate a QR code and set the computer aside for the time being

On your NEW phone:

  • Install Authenticator and select Work or School account.
  • Scan the QR code shown on your computer.
  • Approve the authentication request on your new device.
  • Remove the old device from the Security Info page.
Enable SMS Authentication (Optional but Recommended)

If your organization allows SMS as an MFA method:

  1. In the Security Info portal, click + Add sign-in method
  2. Select “Phone”
  3. Enter your mobile number and choose Text me a code
  4. Enter the verification code received via SMS when your mobile phone receives it

SMS is considered less secure than app-based authentication. So, by default, Microsoft Authenticator app will use MFA using either available WiFi or mobile phone signal to authenticate your Microsoft 365 sign-ins. SMS is a valuable backup method—especially if your primary device is unavailable.

Add a Second Device for Secondary Access

Sometimes, it helps to include a second mobile device to authenticate your Microsoft 365 sign-in. This might be necessary where authentication is necessary from two geographically separate locations. In this situation, the same mobile phone cannot be at the each location simultaneously. Also, a second phone might help avoid lockouts. This is optional, and not usually necessary However, if you need to include a second device for authenticating you can configure
Microsoft Authenticator MFA for 365 with this additional step:

  1. Install Microsoft Authenticator on your second mobile phone
  2. Log into https://mysignins.microsoft.com/security-info from your desktop/laptop computer
  3. Add a new sign-in method and repeat the QR code scan process
    1. Be sure to scan the QR code with your SECOND DEVICE per the workflow outlined above
  4. Verify the second device by approving a test notification

This ensures you can still access your account if your principal mobile phone is lost or damaged.

When SMS is enabled, notice that when trying to sign in with an Autheticator code you will find options in your Authenticator pop up that provide for authentication by other means. This way, if MFA does not authenticate, you can opt to receive a conventional SMS/text.

Summary and Next Steps

Setting up and managing Microsoft Authenticator MFA for 365 helps to secure access to your Microsoft 365 account. If your organization has documentation for compliance, you should update it with your procedures so that you have a stated policy giverning sign-ins.  

Next step – backup your MFA credentials

For added security, you can backup your Microsoft Authenticator App sign-in accounts. Even if your mobile phone is configured to backup your data, MFA credentials are excluded from Android/iOS backups unless provisioned in Microsoft Authenticator App.

Read this article to learn how to back up your Microsoft Authenticator settings and avoid losing access. Remember, MFA is now a user-level utility and admins/global admins cannot intervene on a user’s behalf. So, it is important to be sure that organizational users have MFA credential backups to ensure rapid restoration of services if they lose or damage their mobile phones.

Also, consider a stress test to learn what you need to be able to demonstrate to Microsoft if your Global Administrator loses MFA credentials. Read this article to learn about force majeur MFA recovery.

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including website design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.

How to Back Up MFA Credentials with Microsoft Authenticator Backup

by | Aug 29, 2025

Introduction: Why Microsoft Authenticator Backup is Essential

Multi-Factor Authentication (MFA) is a critical security layer for Microsoft 365 and other cloud services. If your mobile device is lost, stolen, or replaced, you risk losing access to your accounts unless your MFA credentials are backed up. Microsoft Authenticator backup enables you to restore your MFA settings to a new device.

Where does Microsoft Authenticator backup my credentials?

MFA backups are not saved in Microsoft 365 accounts. This is because:

  1. Microsoft Authenticator can store credentials for your personal sign-ins too.
  2. If you are locked out of Microsoft 365, you cannot recover the credentials to restore them. 

If you have a personal Microsoft account, you are already equipped to make Microsoft Authenticator backups. You can configure Microsoft Authenticator to back up to iCloud and Google Drive too. If you are blocked from your iCloud/Google/Microsoft account (i.e. you have lost your password), there is still a partial workaround – see guidance under “alternative method” header. This requires you to have your existing device handy.

Click open the headers below to learn how to backup your MFA credentials. Please read through this entire article before starting the proceudure. Be sure to contact us for general advice if you are in doubt. Support options are available for professional assistance.

Microsoft Authenticator MFA Backup Features

Your MFA credentials are always excluded from your device’s usual iOS or Android backup precudures. So, Microsoft Authenticator MFA backup has to be enabled and scheduled using your Microsoft Authenticator App. This way, your MFA keys can be protected with enhanced securitization. When you configure Microsoft Authenticator MFA Backup, your app will include MFA accounts for other services that you rely on for OTP (One Time Passcode) or TOTP (Time-based OTP), too.

Microsoft Authenticator Backup features

Microsoft Authenticator Backup procedures are easy to schedule. You only need to be able to provide Microsoft Authenticator with your credentials when you configure backups for either a Microsoft personal account, iCloud account, or Google Drive account. Features include:

  • You can connect to a Microsoft personal account, iCloud, and Google Drive.
  • iCloud and iCloud Keychain can handle backups automatically.
  • Work and school accounts are supported.
  • No admin action is required for organizations.
  • Third-party TOTP credentials (like Google, Amazon, etc.) are included.

How Microsoft Entra Portal Supports MFA Management

Microsoft Entra ID (formerly Azure AD) uses a unified Authentication Methods Policy. This service is included in Microsoft 365 and it streamlines MFA setup and backup across all user types. Remember, Microsoft Authenticator MFA is a user-level process. This means that Global Administrators cannot configure MFA for you. Entra ID facilitates:

  • Centralized control of MFA, SSPR, and passwordless options.
  • Granular policy settings for different user groups.
  • Future-proof integration with Microsoft’s evolving identity tools.
  • Easier onboarding and recovery for users.
Step-by-Step: How To Configure Microsoft Authenticator MFA Backup

Configure Microsoft Authenticator Backup with a Microsoft Personal Account

  • Open Microsoft Authenticator App on your mobile device.
  • Click open the Hamburger icon (usually top right of your App’s screen).
  • Click open Settings from the drop down list.
  • Input your Microsoft (personal) account credentials.
  • Review preferences and save settings.

You should review app settings periodically in future to check when your credentials were last backed up.

To recover your credentials using a new iOS or Android device, install Microsoft Authenticator, open the app, and sign into your personal Microsoft account. You will be prompted to restore accounts from backup. Once restored, you may need to re-verify some accounts, depending on 365 organizational policies/rules.

Configure Microsoft Authenticator Backup: iOS/iCloud Backup

  • iOS 16 or later is required – check your device first.
  • Enable iCloud and iCloud Keychain in your mobile device’s device settings.
  • Open Microsoft Authenticator.
  • Go to Settings > iCloud Backup in the Authenticator app and enable backup.
    • This will back up your account names and TOTP (Time-based One-Time Password) credentials to iCloud.
  • To verify that backup is enabled:
    • Open Authenticator > Settings > iCloud Backup.
    • Confirm that the status shows “Backup is on”.

You should review app settings periodically in future to check when your credentials were last backed up.

To recover your credentials with a new iOS device, install Microsoft Authenticator and sign in to iCloud in App settings. Your Microsoft Authenticator accounts will be restored automatically. Once restored, you may need to re-verify some accounts, depending on 365 organizational policies/rules.

Configure Microsoft Authenticator Backup: Android/Google Drive Backup

  • Open Microsoft Authenticator.
  • Tap the three-dot menu > Settings.
  • Enable Cloud Backup.
  • Sign in to Google Drive when prompted.Go to Settings > Cloud Backup in the Authenticator app and enable backup.
    • This will back up your account names and TOTP (Time-based One-Time Password) credentials to iCloud.

You should review app settings periodically in future to check when your credentials were last backed up.

To recover your credentials to a new Android device, install Microsoft Authenticator and sign in to yoru Google Account in App settings. Your Microsoft Authenticator accounts will be restored automatically. Once restored, you may need to re-verify some accounts, depending on 365 organizational policies/rules.

Alternative Method: No Microsoft, iCloud, or Google account?

If you do not use iCloud or Google Drive, or you are blocked by Microsoft account prompts, follow this manual method:

  1. On your old device, go to Microsoft MFA Setup.
  2. Authenticate and access the Security Info page
  3. Click Add sign-in method > Microsoft Authenticator
  4. On your new phone, install Authenticator and select Work or School account.
  5. Scan the QR code shown on your computer.
  6. Approve the authentication request on your new device.
  7. Remove the old device from the Security Info page.

This method works for users who only use work accounts and want to avoid linking personal Microsoft accounts. However, it is not as robust as the settings detsailed above and should be considered as an option of last resort. For instance, this option might only be in contemplation if you had already lost your old device, which you need for this workflow. Instead, use one of the options above.

Enable SMS Authentication (Optional but Recommended)

If your organization allows SMS as an MFA method:

  1. In the Security Info portal, click + Add sign-in method
  2. Select “Phone”
  3. Enter your mobile number and choose Text me a code
  4. Enter the verification code received via SMS when your mobile phone receives it

SMS is considered less secure than app-based authentication. So, by default, Microsoft Authenticator app will use MFA using either available WiFi or mobile phone signal to authenticate your Microsoft 365 sign-ins. SMS is a valuable backup method—especially if your primary device is unavailable.

Add a Second Device for Secondary Access

Sometimes, it helps to include a second mobile device to authenticate your Microsoft 365 sign-in. This might be necessary where authentication is necessary from two geographically separate locations. In this situation, the same mobile phone cannot be at the each location simultaneously. Also, a second phone might help avoid lockouts. This is optional, and not usually necessary However, if you need to include a second device for authenticating you can configure
Microsoft Authenticator MFA for 365 with this additional step:

  1. Install Microsoft Authenticator on your second mobile phone
  2. Log into https://mysignins.microsoft.com/security-info from your desktop/laptop computer
  3. Add a new sign-in method and repeat the QR code scan process
    1. Be sure to scan the QR code with your SECOND DEVICE per the workflow outlined above
  4. Verify the second device by approving a test notification

This ensures you can still access your account if your principal mobile phone is lost or damaged.

When SMS is enabled, notice that when trying to sign in with an Autheticator code you will find options in your Authenticator pop up that provide for authentication by other means. This way, if MFA does not authenticate, you can opt to receive a conventional SMS/text.

Summary and Next Steps

Microsoft Authenticator Backup is a simple way for you to securely safeguard your MFA credentials. You can save your MFA credentials using your personal Microsoft account, iCloud, or Google Drive. Microsoft Entra ID security portal centralizes authentication policies, so managing MFA is simple and robust.

Whether you are a Microsoft 365 user, IT admin, or someone who values account security, do make sure your Authenticator app is backed up. It is the best way to avoid lockouts and keep your digital life secure. You can check your Microsoft Authenticator App settings occasionally to check when your last backup was made.

Stress Test

Even with good backup practices, things can still go wrong. Read our guidance in this article to understand what happens if MFA credentials fail and you cannot access 365. We recommend you review this guidance to learn how to deal with an eventuality in situations where a Global Administrator’s MFA credentials fail. Usually, monitoring backups is adequate, but if you are responsible for a multi-user tenancy it is worth testing a scenario to understand how to respond if the worst happens.

For instance, much of the information that Microsoft would ask for to restore access is easily found in a Global Administrator’s 365 dashboard. If your Microsoft 365 dashboard is not accessible, though, how would you compile the information needed to help restore services?

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including website design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.

Locked Out of Your Microsoft 365 Account? Here’s What to Do When MFA Recovery Fails

by | Aug 27, 2025

Introduction: Contacting Microsoft for Account Recovery

Despite best practices like setting up Microsoft Authenticator, enabling SMS fallback, configuring secondary devices, and using physical backup options – nothing is bulletproof and you could still find yourself locked out of your Microsoft 365 account. Emergency MFA recovery via Microsoft typically happens when:

  • Your mobile device used for MFA is lost or damaged beyond repair.
  • No backup or secondary authentication method is available.
  • Recovery codes were never generated or stored securely.
  • There is not another Global Administrator for your tenancy to revert to for help.

If this happens to a member of staff, Global Administrator can usually restore services. What do you do if YOU are Global Administrator, though? When this happens, contacting Microsoft is the last resort. Be prepared: the process is strict, time-consuming, and necessarily designed to protect your data. This article explains how to prepare for Microsoft intervention. You can avoid this difficult prospect by following our guidelines in this article:

Also, read about enabling secondary devices to reduce the risk of MFA recovery problems in this article:

Click open the headers below to learn about MFA Recovery if you cannot access your Microsoft 365 tenancy. Please read through this entire article before engage Microsoft for restoration of service. Be sure to contact us for general advice if you are in doubt. Support options are available for professional assistance.

What Microsoft Needs to Verify Your Identity

To recover your account if it is blocked, Microsoft must validate that you are the rightful owner of the tenancy. MFA Recovery involves:

  • Filling out the Microsoft’s online questionnaire at:
  • Providing a working email address:
    • This is where Microsoft will send updates about your recovery request.
  • Answering detailed questions about your account usage, including:
    • Services used (365 licenses types and quantities)
    • Previous passwords
    • Billing information
    • Devices and locations used to access the account

Verification is not easy – document and prepare a procedure

Microsoft’s online recovery form will detail more fully what you need to complete the document. Microsoft can take 24 hours or as long as several days or weeks to validate your identity. This is because of the catastrophic risk that both you face if Microsoft mistakenly provides MFA recovery credentials to a malicious party. So, Microsoft has no choice. ID verification is going to be laborious.

Therefore, even for legitimate tenancy owners, verification can be problematic. Larger organizations maintain thorough documentation to comply with GDPR, and occasionally they run stress tests to evaluate preparedness for this kind of eventuality. If you maintain thorough docuentation, verification will be easier to accomplish. If your GDPR compliance practices are well prepared, you may already have documented procedures.

Step-by-Step: MFA Recovery Workflow

Recovering access to your tenancy is not easily accomplished. This is because you are asking Microsoft for access to not just to your tenancy, but to Global Administrator privileges. Giving MFA Recovery credentials to the wrong entity could have catastrophic consequences for your business. Therefore, Microsoft have to be sure that you are the legitimate Microsoft 365 tenancy owner.

 

How to apply for MFA Recovery/restoration of access

  1. Try the Sign-In-Helper to try all alternative sign-in options.
    1. Microsoft Account Recovery Code
  2. Prepare your information:
    1. Use a computer and location previously associated with your account:
      1. This helps Microsoft match geography and known hardware from past connections.
    2. Gather as much detail as possible about your account history.
  3. Complete Microsoft’s online recovery form:
    1. Submit the form via the Account Recovery Portal
    2. Expect a preliminary response within 24 hours.
  4. If recovery fails:
    1. You may retry twice per day
      1. Review unsuccesful recovery guidance

How Long Does Successful MFA Recovery Take?

  • Initial response: Within 24 hours.
  • Full recovery can take several days depending on the accuracy of your information and the complexity of your account.
  • Retry limit: Up to 2 attempts per day.
Summary - Prevention Is Better Than Cure

Microsoft’s MFA recovery process is intentionally rigorous. Microsoft enforces strict verification to protect sensitive data and prevent unauthorized access. Tenancy owners are strongly encouraged to:

If you have followed the guidance in Comstat’s setup and backup articles, this situation should be avoidable. Hopefully you are here to prepare a test-run for a GDPR Compliance stress test. If you are here because your credentials have failed, Microsoft’s MFA recovery form is your best hope.

About ComStat.uk: Internet Service Provider Comstat provides IT support, web hosting, and media services including website design, Microsoft 365 setup, and audio/video production, serving businesses across Denbighshire, North Wales and Wirral from Ruthin, and Lancashire and the Northwest from Bolton.