![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 4%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation
Access to accounts depends on what backup and alternative methods were set up before the old phone was lost.
- Microsoft Authenticator backup
- Authenticator backups are device-type specific and must be enabled before the loss.
- For iOS, backup uses iCloud (iCloud Drive, Keychain, and iCloud Backup must be enabled, and Authenticator must be toggled on in “Saved to iCloud”). Only then can the app restore accounts on a new iOS device.
- If the app on the old phone never had backup enabled, the one-time codes and passwordless registrations stored only on that device cannot be restored.
- What can still be recovered
- Microsoft personal accounts: If other sign-in methods exist (SMS, email, other authenticators, security info), those can still be used. If none of those work and all security info is inaccessible, account recovery may be required as described in the “Common problems with two-step verification” article (for example, choosing “I don't have any of these” when prompted for security info and following the recovery flow).
- Work or school accounts (Microsoft Entra / Microsoft 365): If there is at least one other admin or helpdesk, they can reset MFA or add new methods. If there is only one admin and that admin is locked out, Microsoft’s Data Protection team must be engaged via a support ticket or phone support to verify identity and reset MFA for the tenant. This is the documented path when a sole global admin is locked out due to Authenticator loss.
- When there is no backup and no alternative method
- For any account where:
- Authenticator was the only MFA method, and
- No backup was configured, and
- There is no other recovery path (no SMS, email, backup codes, or admin/helpdesk that can reset MFA), access may not be recoverable through self-service. For Microsoft 365 business/education tenants with a single locked-out admin, the only supported option is to work with Microsoft support/Data Protection to prove ownership and have MFA reset.
- For any account where:
- Recommended next steps
- For personal Microsoft accounts: Sign in to the Microsoft account security page from a device where access still exists, review “Ways to prove who you are,” and remove old Authenticator registrations and add new methods (SMS, email, new Authenticator on the new phone). If completely locked out, follow the “I don't have any of these” path and complete the recovery process.
- For work/school tenants where the only admin is locked out: Call Microsoft Support using the global customer service phone numbers and clearly state that this is a tenant admin MFA lockout and that there is no other global admin. The Data Protection team can then verify identity and reset MFA, as described in the referenced Q&A resolutions.
- For any account that still has SMS/call MFA working: Use that method to sign in, then immediately add the new phone’s Authenticator app and additional backup methods.
Going forward, always enable backup in Authenticator (and, for iOS, ensure iCloud Drive/Keychain/Backup are on and Authenticator is toggled in iCloud), and configure at least two independent MFA methods (for example, Authenticator plus SMS or email) so a single device failure does not cause lockout.
References:
- Back up your accounts in Microsoft Authenticator
- Microsoft Authenticator FAQs
- Common problems with two-step verification for a work or school account
- How to go passwordless with your Microsoft account
- Migrate to a new iPhone for work
- I have a Micrsoft business account and I am the admin and the only user registered under this account. I can't log in because i have replaced my phone and the authenticator doesn't work. - Microsoft Q&A
- How Do I Regain Access to My Account After Losing Access to Microsoft Authenticator? (Urgent Request). - Microsoft Q&A
- Severity A Situation - Locked out of global admin account (MFA) - business down - Microsoft Q&A
- Requesting a Tenant Admin MFA Reset - Microsoft Q&A
- Cannot authenticate with E-mail when logging into Microsoft Authenticator(iOS). - Microsoft Q&A
- Use a screen reader to set up and troubleshoot multifactor authentication