Request an explanation of the technical principles of Microsoft Authenticator

Question

I watched the following two videos, but I found that both videos seemed to talk about AAD, but now it has been upgraded to Entra ID.The video link is as follows

1、https://www.youtube.com/watch?v=rRBG_0yhZN4

2、https://www.youtube.com/watch?v=lfHM7Q4vJ0w

Therefore I have the following questions:

1. Is the current Microsoft Authenticator device registration the same as the Entra ID device registration? Two pairs of public and private keys need to be generated.
2. Will Microsoft Authenticator call Apple or Google APIs to verify the integrity of the application when registering the device?
3. Is there a more detailed document or video explanation of the push notification method of Microsoft Authenticator?

Thank you everyone!

Answer 1

Based on your questions about Microsoft Authenticator and its integration with Entra ID (formerly Azure AD). I can explain below information as per my research and knowledge.

Device Registration in Entra ID vs. Azure AD

1. Current Microsoft Authenticator device registration is indeed part of Entra ID device registration (the evolution of Azure AD device registration). The core cryptographic principles remain similar but with some enhancements:
   • Two key pairs are still generated during registration:
     • Device key pair: Used for device authentication
     • Transport key pair: Used to secure communication between the device and Entra ID
   • The registration process now uses the newer Entra ID protocols and endpoints

Application Integrity Verification

2. Microsoft Authenticator does verify application integrity during device registration:
   • On iOS, it uses Apple's App Attest API (iOS 14+) to verify the app hasn't been tampered with
   • On Android, it uses Google's SafetyNet Attestation or Play Integrity API
   • This verification helps prevent compromised devices from registering

Push Notification Mechanism

3. For detailed documentation on Microsoft Authenticator's push notification flow:
   • The primary technical reference is Microsoft's How passwordless authentication works documentation
   • The push notification flow involves:
     1. User initiates login on a device/browser
     2. Entra ID sends a notification to the registered Authenticator app
     3. The app receives this via platform-specific push services (Apple Push Notification Service for iOS, Firebase Cloud Messaging for Android)
     4. The app verifies the request cryptographically
     5. User approves/denies the request
     6. The app communicates back to Entra ID via a secure channel

Additional Resources

For more technical details:

• Microsoft Entra ID device registration overview
• Microsoft Authenticator cryptographic details
• Deep dive on passwordless authentication (Microsoft Tech Community)

If above information explain well, you may provide your vote on your created case so others can also get guidance and useful official articles on your case url.