![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 52%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Software OATH TOTP in Microsoft Entra ID (including Microsoft Authenticator and other apps registered as “Authenticator app”) is documented only as OATH TOTP, with no SHA-256 option exposed. The SHA-256 support that is mentioned applies specifically to hardware OATH tokens in the hardware-token preview, not to software tokens registered as an authenticator app.
From the documentation:
- Software OATH tokens (Authenticator and other apps) are described generically as OATH TOTP; no SHA-256 variant is called out.
- Hardware OATH tokens in the preview support OATH‑TOTP SHA‑1 and SHA‑256 with 30- or 60-second intervals.
- NIST alignment notes single‑factor hardware/software OTP as “30‑second or 60‑second OATH‑TOTP SHA‑1 token,” which further indicates SHA‑1 for the general OTP scenario.
Given this, only SHA‑1 is supported for software OATH TOTP used as an “Authenticator app” method. SHA‑256 is currently available only for hardware OATH tokens in the hardware-token preview, and there is no supported way to register a programmable self‑service token as an “Authenticator app” using SHA‑256.
To use SHA‑256 with tokens, the token must be onboarded as a hardware OATH token in the Entra hardware-token preview (via CSV upload or Microsoft Graph, depending on which preview path is used), not as an Authenticator app/software token.
References: