Backup and restore MFA-configuration

Multi-factor authentication is widely used today and should be standard for all companies and individuals. But what if the configured MFA device is lost or broken? Microsoft's Authenticator App offers a practical, simple and secure solution to this problem through cloud backup of the MFA configuration. With it you can easily backup your existing MFA configuration. This article shows how to activate the backup, add another MFA device, load the backup data and remove the lost or broken device. And all of this can be done very easily in a few steps.

Save MFA configuration

First you should save your MFA configuration. This simplifies the later recovery process, where you can easily reload the basic configuration. So it is recommended to activate this backup right from the beginning, before you want or need to change the MFA device. To do this, simply select the three items in the top right corner of Microsoft's Authenticator App and navigate to the settings.

Microsoft Authenticator Settings

Navigate to the "Backup" section in the settings and activate the "Cloud backup" switch (for iOS "iCloud backup"). You will now be asked for your Microsoft account with which you want to save your configuration (for iOS use your iCloud account). Log in with this account and confirm or execute the backup. The Settings menu will then show that you have successfully added a "Recovery account". Under "Details" you can see if and when the last backup was done.

Congratulations! You have successfully linked and saved your MFA configuration with your Live ID.

Add new MFA device and load MFA configuration

Since you have already linked and backed up your MFA configuration from your existing MFA device to your Microsoft account (or iCloud account), you can easily add another device. For certain accounts, device verification actions are required afterwards, but all in due course.

Load MFA configuration on the additional device

If not already done, first install the Authenticator App on the device to be added. If the app is already installed, make sure that no Microsoft (or iCloud) account is already registered. This will ensure that you do not overwrite any existing configuration. If no account is already connected, select "Begin recovery" to load your backup.

The app will now ask you for your account with which you performed the backup. Log in with it and the app will load your configuration to the device. You have now successfully added another device.

Perform further actions for verification

However, you will find that some accounts require further action to verify the accounts.

These accounts require you to scan the QR code provided by the organization to finally restore the configuration. The following example shows how you can do this with your Azure / Office 365 account.

Open in the browser of your choice. Then log in with the account you want to verify and select "Security info" on the left side.

Both your default login method and your additional methods are now displayed. To verify your additional device, click on "Add method".

Now select the desired additional method. In this scenario, you want to share another Authenticator app with the account, namely this one from your additional or new device.

myaccount add Authenticator App

Confirm the following two messages with "Next" after you have read them. Now you will be provided with the desired QR Code, which you can scan with the Authenticator App and complete the verification.

Microsoft Authenticator QR Scan

If successful, you will now see an additional Authenticator App in the portal! Congratulations!

myaccount available authentication methods

Optionally, you can also remove existing devices or methods here. If your MFA device has been stolen, this is strongly recommended!


Leave a comment