![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 98%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPL%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Because the original YubiKey is lost, it must be treated as compromised and removed from the account, then the new key can be registered as a fresh sign-in method.
For Microsoft Entra ID accounts using Microsoft Authenticator and hardware keys (like YubiKey), the supported flows in the provided context are for passkeys (FIDO2) and certificate-based authentication. The general pattern is:
- Remove the old key or passkey from the account
- If the lost key was registered as a passkey in Microsoft Authenticator on Android or iOS:
- Open the Authenticator app.
- Tap the account name.
- Go to Settings and choose Delete passkey (wording differs slightly between Android and iOS but follows this pattern).
- If the passkey still appears under Security info, go to Security info and select Delete next to that passkey.
- If the lost key was registered as a passkey in Microsoft Authenticator on Android or iOS:
- Register a new passkey (or new hardware key) for sign-in
- From a browser, sign in to Security info.
- Select Add sign-in method.
- Choose Passkey and select Add.
- Complete multifactor authentication (MFA) with any existing method that still works. If no MFA method is available, an Authentication Policy Administrator must issue a Temporary Access Pass so that strong authentication can be completed before registering the new passkey.
- When the security dialog appears asking where to save the passkey:
- If the organization allows saving a passkey to a security key (such as a YubiKey), choose Security Key.
- Insert or connect the new YubiKey when prompted.
- Create or enter the PIN for the YubiKey and perform the required gesture (touch the key) when requested.
- Finish the dialog and return to Security info.
- Optionally rename the new sign-in method, then select Done.
- If using Microsoft Authenticator on mobile for passkeys
- The easiest way is to add a passkey directly in the Authenticator app on Android or iOS (supported on iOS 17+ and Android 14+). After adding, confirm that the new passkey appears under Security info.
- If using certificate-based authentication with YubiKey on Android
- Ensure Microsoft Authenticator is installed before Company Portal.
- When signing in and choosing Use Certificate or smart card, plug in or tap the YubiKey (USB or NFC) and select the certificate from the YubiKey.
- If registration errors occur (for example, “passkey already exists”)
- Delete any locally created passkey in Authenticator (tap account → Settings → Delete passkey), then retry the registration from Security info.
If no working MFA method remains and no admin can issue a Temporary Access Pass, a support case with Microsoft (Data Protection team) is required to restore access before a new YubiKey can be registered.
References:
- Register a passkey (FIDO2)
- Register passkeys in Authenticator on Android or iOS devices
- Microsoft Entra certificate-based authentication on Android devices
- How Do I Regain Access to My Account After Losing Access to Microsoft Authenticator? (Urgent Request). - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A