Fixing Microsoft Authenticator Issues When Transferring to a New iPhone

Let’s say you treat yourself to a new iPhone. In this common scenario, Apple promises a smooth data transfer. Just place the devices next to each other...

Apple is learning. Almost everything works. In the past, I had problems with WhatsApp where I had to make a separate backup from the app and then import this data onto the new iPhone. Now, you can forget about clunky steps like that. Even the Signal app, whose big feature is security, has adapted perfectly to the general move from the old iPhone to the new: Place the phones next to each other and all encrypted Signal data is transferred from the old one to the new one.

However, my MVP colleague Raphael Köllner whispered to me that the iPhone data transfer process has problems with the Microsoft Authenticator. Sure enough, during a recent iPhone upgrade, I found that it does move the accounts from the old iPhone to the new one, but I also saw a lot of warnings in Microsoft Authenticator after the move. How do you solve new iPhone authenticator issues? I'll cover that in this article.

IT consultants typically have many clients, so this is the kind of problem that can multiply your workload if you don’t know how to quickly solve it. And since we are just past Black Friday and Christmas is around the corner, some of you will certainly be coming across this problem. Read on to find the solution.

Note: Some of the images in this article are shown in German. For those of you who don’t read German, reading the captions should keep you up to speed.

MFA Is Great...Until You Switch Devices

Here is a simplified model of what happens during multifactor authentication (MFA):

I log into my tenant in the browser (1). Both the username and the password are transmitted (2). The prerequisites stored by the administrators are read out (3) and displayed. Various options are possible, e.g., the code must be read out on another device (5) and entered in an input field on the device (1). Or a number is displayed on device (1) and the authenticator on device (4) must enter this number. This information then flows back to the browser, which grants access (5 to 8). There is lots of technical literature about MFA on the Internet, but nothing about what to do when you find yourself suddenly needing to move that authentication handshake from one device to another.

Fortunately, in the case I describe here, we’re not dealing with a stolen or broken phone, so we can deactivate our old phone from the Microsoft account and add the new phone in its place.

The Solution

To complete the steps below, you will need:

• The old iPhone, which I’ll call iPhone OLD.
• The new iPhone, which I’ll call iPhone NEW.
• A Windows device with a browser that can use private mode (Edge, Chrome).
• An internet connection.
• Time: Take enough time, and the whole thing is no problem.

-1- Log into the browser

On the Windows device, open the browser and switch to private mode. The Edge and Chrome browsers retain credentials even across multiple open tabs, even in private mode, but they are not logged in anywhere at first. Navigate to https://www.office.com/. Select Log in and then enter the login email that appears in the Microsoft Authenticator warnings, as shown in the figure above under (1).
 

After selecting Next, enter the password, as you would expect. However, as this account is subject to the MFA rules of the target tenant, another message appears in the browser, asking you to confirm your login by verifying a two-digit number.

Leave the box checked beside Do not ask again for the next 90 days if it is displayed.

-2- MFA: Verify by entering a number.

On your iPhone OLD, it should have already registered the verification request and sent a notification. If not, start the Microsoft Authenticator app.

Now enter the number that appeared in the browser on your Windows device and select Yes.

-3- Call up the Security Info page

Back on the Windows device, open a new tab and enter the dynamic link https://aka.ms/mfasetup or https://mysignins.microsoft.com/security-info. It will take a moment before the various authentication options appear under My Sign-Ins in the Security Info tab (1).

The Microsoft Authenticator (2) row is important, where the iPhone OLD appears, in my example with the name "iPhone von Mr.OneDrive" (3). Of course, the name is not the important thing, but rather the token that is stored with it. The page of this tenant does not recognize my iPhone NEW. Time to change that.

-4- Add new sign-in method.

Select the + sign for Add sign-in Method (4) and then select the same method that was stored on the iPhone OLD (2), i.e. Authenticator app.

Note that if you use a lot of sign-in methods, adding another one may result in an error message.

Microsoft accounts cannot store more than five sign-in methods. This happened to me in a Citrix test environment. 

In that case, I had to delete my iPhone OLD first. However, in the real world, you shouldn’t run into this problem very often.

After selecting to add the Microsoft Authenticator sign-in type, it's time to go to the new iPhone NEW and navigate to the same message that is displayed in the warnings.

-5- Windows device: Assign QR code.

Still working in your Windows browser, you can skip the optional download; with Apple’s automatic migration, you already have Microsoft Authenticator on your new iPhone.

The initial message Set up your account appears. Select Next.

The QR Code appears after selecting Next.
 

On your iPhone NEW, select the Microsoft Authenticator message where your intervention is required, which will bring up your QR code scanner.

Now scan the QR-Code from the browser of the Windows device.

-6- If You Receive an Error message.

The process of scanning the QR code can fail in one of two ways. First, if push notifications aren’t activated, you won’t receive a notification, so you can’t get to the scanning screen. However, if push notifications were activated on the iPhone OLD, that setting will be transferred to the new one. Either way, make sure push notifications are activated on the new iPhone. Second, if you take too long scanning the QR code, the process will time out. In that case, close Microsoft Authenticator and restart it.

-7- Testing the Authenticator.

The option to test this connection now appears in your Windows device browser.

The browser on the Windows device shows the first of two messages. Note the number and then enter it on your iPhone NEW, after which you should see the success message.

The new device is then displayed in the browser of the Windows device. Note that you will have to refresh the browser to see this.

In the authenticator on the new iPhone, it now looks like this:

There is no longer a warning, and this account has been successfully switched to the new iPhone.

-8- Clean up.

You can now delete the old iPhone on the Security Info page. This will remove any authentication connection between the Microsoft account and the old iPhone.

If there are further error messages of this type on the new iPhone, close the private browser session on the Windows device and start again at step -1- Log into the browser in Private Mode.

Summary

I have done this with several accounts that all displayed the red warning message on the iPhone. In retrospect, I also realized why the change-over doesn’t happen automatically: The sign-in method in the tenant and the new iPhone have to see and recognize each other. 

Working through the above points is relatively easy:

• -1- Login in the browser.
• -2- MFA: Verify by entering a number.
• -3- Call up the Security Info page.
• -4- Add new sign-in method.
• -5- Windows device: Assign QR code.
• -6- If You Receive an Error message.
• -7- Testing the Authenticator.
• -8- Clean up.

Links to MFA

• How it works: Microsoft Entra multifactor authentication
• Tutorial: Secure user sign-in events with multifactor authentication