Share via

Authenticator: "scan the qr code provided by your organization to finish recovering this account" - where does org (me) get this?

Ben J 0 Reputation points
2024-12-03T16:25:38.27+00:00

Testing this out for a client/friend whos upgrading several phones and migrating to InTune. Using authenticator to backup and restore tokens onto new devices. Though it completely defeats the point of "recovery", it DOES require you "scan a QR code".

I see that there used to be an item in https://account.activedirectory.windowsazure.com/ for "additional security verification", which SOUNDS like what this app "functionality" was meant to work with. But that is gone, presumably because of the azure > entra fry-gration
Recent learn.microsoft answers point to https://mysignins.microsoft.com/security-info - a page i've not once ever seen, but okay. The thing is if users cannot log in to this page, they cannot add a new auth method. I tested this on my own account/tenancy. Logged out online, deleted my authenticator, restored. My authenticator account was locked, demanding an approval from my account, itself demanding approval from my authenticator.

I've checked the labyrinth of React components called "Entra Id" for everything dealing with MFA. I tried using the > User > Authentication > Require re-register multifactor authentication AND the "per-user multifactor authentication" > re-register MFA (available from 365AC:users > multi-factor authentication). One of them did nothing that i could tell (re-logged and was requested to approve via authenticator as normal), the other just deleted my MFA config and marked my account not capable of MFA. Despite conditional access rules requiring MFA, I got no prompt to re-register any MFA..

So what exactly is the "approved" / intended process here? Google Authenticator? Client is remote, and users are spread all over the place - they're not office workers. Between the whole "need 90 personal MS accounts to back authenticator up to iCloud" and this, they're starting to doubt the InTune migration. Any MSPs or consultants here who have been through this process?

Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Microsoft Authenticator

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harshitha Eligeti 4,380 Reputation points Microsoft External Staff Moderator
    2024-12-04T22:31:46.3133333+00:00

    Hi @Ben J • 

    Thank you for sharing your issue on Microsoft Q&A. 

    I understand that You are working with a client migrating to Microsoft Intune and using Microsoft Authenticator for MFA token backup and restore during device upgrades. The Azure AD "Additional Security Verification" page has been removed due to the transition to Microsoft Entra ID. 

    Users cannot modify MFA methods because they can't access the Security Info page without logging in first. 

    After testing MFA setup by deleting and restoring the Authenticator app, your account was locked and required approval from the deleted app. You tried using "Require re-register MFA" and per-user MFA re-enrollment, but one had no effect, and the other disabled MFA, marking your account as MFA-disabled. Despite Conditional Access enforcing MFA, no re-registration prompt appeared during login. 

    Backup and restore work only on the same device type (iOS to iOS, Android to Android). On iOS, the backup feature uses iCloud but requires linking a personal Microsoft account to the Authenticator app. 

    To resolve the issue, follow these steps: 

    As you are facing issues with your current setup, removing your account from the Authenticator app can help reset its state. 

    Use the Intune or Azure AD admin center to push MFA re-registration for users. This can help ensure that they are prompted correctly during their next login attempt. 

    As an administrator, revoking active sessions can force you to re-authenticate, which may prompt MFA setup again. 

    After revoking sessions, it is required to re-register MFA settings through the admin center to ensure you have valid authentication methods set up. 
    Once you have successfully re-registered with MFA methods, now you can re-add your account in the Microsoft Authenticator app. 

    For additional information please refer this links: Back up account credentials in Microsoft Authenticator - Microsoft Support 

    Use Microsoft Authenticator with Microsoft 365 - Microsoft Support 

    Hope this helps. Do let us know if you have any further queries. 

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Best Regards. 
    Harshitha Eligeti. 

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.