Authenticator recovery issue

Question

I created a outlook email account. Then I added 2 TOTP accounts to microsoft authenticator app and backed it up to cloud. I use android. Now in this case assume that I have lost my phone and am trying to recover my account using a new phone (I have not lost my phone but am using 2 phones for this test). So, on another android device I tried to recover my account on microsoft authenticator app. I did not have any outlook account logged in in the new phone. It first asked me to click on a number generated on the authenticator app on the 'lost' device which i did not do, I clicked on 'I dont have access to my microsoft authenticator app' option and then I was asked to change my password which I did and then logged in. I successfully recovered my both TOTP accounts. Now I can view my TOTP codes on both the devices; the one which is presumed to be lost and the new one which I used to recover my account. Now I tried using the TOTP code to login to other application where it is to be used. To my shock I am not able to use the TOTP generated on the new device, that TOTP is treated as invalid. But when I tried to use the TOTP from the old phone which was presumed to be lost I could login normally. (I had not logged in to the old phone with the new password.)

So my question is if I lose my current phone of my primary account and I try to recover my microsoft account on the authenticator app on a new device how will I be able to use the TOTP codes and login? This thing demonstrably locks me out of all my accounts requiring me to use TOTP codes for login.

Please help. Thanks.

Answer 1

Steps should have been create an authenticator cloud backup on old phone then on new phone you can restore from the authenticator cloud backup but make sure no accounts have been added to the newly install app. Then sign on with recovery account to do the restore.

You can recover your account credentials from your cloud account, but you must first make sure that the account you're recovering doesn't exist in the Microsoft Authenticator app. For example, if you're recovering your personal Microsoft account, you must make sure you don't have a personal Microsoft account already set up in the authenticator app. This check is important so we can be sure we're not overwriting or erasing an existing account by mistake. https://support.microsoft.com/en-us/account-billing/back-up-and-recover-account-credentials-in-the-authenticator-app-bb939936-7a8d-4e88-bc43-49bc1a700a40

and of course we wouldn't want to format old phone until new phone is confirmed as working. Also since Azure is involved be sure to create an emergency access account (break glass) in Azure AD. This account will help prevent being accidentally locked out of your Azure Active Directory (Azure AD) organization because you can't sign in for any reason. https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access

-

--please don't forget to close up the thread here by marking answer if the reply is helpful--

Answer 2

had backed up to cloud on old phone.

A phone backup is not enough. An authenticator cloud backup / restore would need to happen.

--please don't forget to close up the thread here by marking answer if the reply is helpful--