How do I use the Authenticator App for 2FA in an AD tenant that I have created from an account in a different AD?

Jimmy Gunnarsson 0 Reputation points
2024-02-06T11:21:27.49+00:00

I have an account in my organization's AD. Lets call the AD 'Mother', and the account me@mother.com

Signed in as this account, I have previously created another AD, let's call it 'Children'. Children is used to authenticate users in a system that is rarely used (a few times per year). The system uses the AD both from a SPA web app and from a backend API.

I've noticed that users in Children now require 2FA, due to the security defaults. When trying to log in to tweak these settings, I realize that my account (me@mother.com) that is the global administrator in Children, also needs 2FA in the Children tenant.

I have the Authenticator set up for 2FA for me@mother.com of course, but now I need to set it up for the account me@mother.com, but in the Children AD. If I just try to change to the Children AD in Entra, and log in as me@mother.com, my auth app does not get any request to authenticate.

I've tried to set up a new account in the Authenticator, like this:

  • Add account, Work or school account
  • Sign in, use another account, sign-in options
  • Sign in to an organization
  • enter children.onmicrosoft.com
  • sign in with me@mother.com
  • get prompted for 2FA, and authenticates with the (same) authenticator app
  • I now get prompted with "enter code" (from within the authenticator app). I can't reach the code in the app without closing this login screen.

How would I go about solving this? I'm considering getting a second phone so I can try having two different auth apps, but I would like to avoid it. All I want to do is get a second account set up in my existing auth app, so it can handle me logging in as me@mother.com in the Children tenant.

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,827 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,726 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sandeep G-MSFT 19,026 Reputation points Microsoft Employee
    2024-03-03T07:58:24.4333333+00:00

    @Jimmy Gunnarsson

    I apologize for the delay on this thread.

    You can add this account to the same authenticator app. if you notice your mother account is provisioned in children tenant as #ext account.

    When you set up guest account same authenticator app, it will get set up as #ext account.

    To set this up in authenticator app you will have to account children tenant directly with mother account and let children tenant prompt for MFA. At this stage you can set up this account in authenticator app.

    We can work on this offline if you have any questions on this.

    Please send us an email on azcommunity [at] microsoft [dot] com with Sub - Attn: Sandeg and following details in the email body:

    Link to this thread/post

    We can connect offline and discuss further on this.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.