Backup and Restore Microsoft Authenticator App
Last Updated on 31. July 2025
The Microsoft Authenticator App is a key component of Multi-Factor Authentication (MFA) in Microsoft Azure and Microsoft 365. When switching to a new smartphone or in the event of device loss, the question often arises: how can the Microsoft Authenticator App, including all configured accounts, be reliably restored without having to set up each login from scratch?
This article provides a step-by-step guide on how to securely back up the Microsoft Authenticator App and seamlessly transfer it to a new device, whether running iOS or Android. This ensures continued access to protected applications without disruption.
Note: This guide is based on iOS. However, the steps for Android are nearly identical.
Prerequisites and Licensing
Licensing
No additional license is required to use the backup and restore feature in the Microsoft Authenticator App. This functionality is available free of charge and can be used independently of any Microsoft 365 or Microsoft Entra ID license.
Personal Microsoft Account
To enable backup of Authenticator data, a personal Microsoft account is required. This can be, for example, an account ending in @outlook.com or @hotmail.com. The account is added once in the app.
Important: Work or school accounts cannot be used for this feature. Only a personal Microsoft account is supported for backup purposes.
Upcoming changes for iOS: Backup via iCloud instead of Microsoft account
Starting in September 2025, Microsoft will begin rolling out a new backup feature for iOS devices. The Microsoft Authenticator App will use iCloud and the iCloud Keychain to securely store Authenticator data. As a result, a personal Microsoft account will no longer be required for backups on iOS.
The global rollout of this change is expected to be completed by early October 2025.
Requirements for iCloud backup:
- iOS 16.0 or later
- iCloud Keychain enabled
As part of this transition, the existing iOS backup feature using a personal Microsoft account will be deprecated.
Microsoft Authenticator App: Set Up Backup
Backup of account information is enabled directly within the Microsoft Authenticator App under Settings. The process differs slightly between iOS and Android:
- iOS: Data is stored in iCloud and linked to the Apple ID account.
- Android: Data is stored in the Microsoft Cloud and linked to the personal Microsoft account.
A personal Microsoft account is required to enable backup. The data is encrypted using 256-bit AES. Detailed information about the encryption used for this backup is available in the following Microsoft Tech Community articleHow it works: Backup and restore for Microsoft Authenticator – Microsoft Tech Community
Once enabled, the backup runs automatically in the background. Under Settings > Details, the app displays the date and time of the last successful backup.
Microsoft Authenticator App: Restore Backup
After installing the Microsoft Authenticator App from the App Store or Google Play Store, the most recent backup can be restored during the initial sign-in process.
Accept the privacy policy and review the optional usage data sharing settings.
Select Restore from backup
Select Begin recovery
Select the account that was used to create the backup.
Upon successful recovery, all account credentials will be restored and accessible in the Microsoft Authenticator app.
Troubleshooting
Restore Access When “Action Required” Appears
The Action required prompt typically appears with work or school accounts because the sign-in data stored in the Microsoft Authenticator App is device-bound. After switching to a new device, Multi-Factor Authentication (MFA) must therefore be set up again.
Re-enrollment is done through the account’s security info page at https://aka.ms/mysecurityinfo. There, a new QR code can be generated and scanned using the Microsoft Authenticator App. MFA will then be functional again on the new device.
If access to a valid MFA method is no longer available, such as when the previously used device has been reset or lost, it is no longer possible to reach the security info page. In such cases, an administrator can provide a Temporary Access Pass (TAP), which allows sign-in without an existing MFA method. For more details, see the blog post: Temporary Access Pass in Microsoft Entra: what it is and how to use it – cloudcoffee.ch
Good to Know
Which Account Types Are Actually Backed Up?
Personal Microsoft Accounts
These accounts (e.g., @outlook.com, @hotmail.com) are fully backed up, provided they are TOTP-based. This means the shared secret and account metadata are encrypted and included in the backup, allowing for full restoration on a new device.
Work or School Account
For work and school accounts, only the account name is included in the backup, not the actual sign-in credentials or secrets. After restoring the backup on a new device, these accounts must be set up manually. Reconfiguring MFA using a QR code is required. Further information is available here: Restore Access When “Action Required” Appears.
Third-Party Accounts (TOTP-Based, e.g., Google, Amazon, Facebook)
These accounts are fully backed up, just like personal Microsoft accounts, including the shared secret, and can be fully restored with full functionality.
Fresh content, explained with practical relevance. Stay up to date via LinkedIn and Bluesky.
No marketing. No noise. Just content.
If this post was helpful, a coffee brings back the rich aroma behind the writing.
