(704) 333-0404 Mon-Fri 8am-5pm ET
Skip to content
Get Support
Get Support
IT Support · Apr 17, 2026 8:03:28 AM

Microsoft Authenticator on a New Phone: What to Do

By Netsafe Solutions
Employee setting up Microsoft Authenticator on a new phone for business account security in Charlotte NC

Microsoft Authenticator on a New Phone: What to Do

Getting a new phone is exciting — until you realize your Microsoft Authenticator codes didn't automatically follow you. For Charlotte businesses relying on multi-factor authentication (MFA) to protect Microsoft 365 accounts, a phone switch without preparation can lock employees out of email, Teams, SharePoint, and every other critical tool. This guide walks you through exactly what to do before and after switching phones, and what to do if you're already locked out. According to Microsoft's own security data, accounts protected by MFA are 99.9% less likely to be compromised — which means keeping Authenticator working is non-negotiable.

What Is Microsoft Authenticator and Why Does It Matter for Your Business?

Microsoft Authenticator is a free mobile app that generates time-based one-time passcodes (TOTP) and push notification approvals used to verify your identity when logging into Microsoft 365 and other connected apps. It's the most common second factor used in business MFA deployments — sitting between your password and your account.

For businesses using Microsoft 365 services, Authenticator isn't optional. It's the backbone of Conditional Access policies, Entra ID sign-in protection, and zero-trust access controls. Without it working correctly, employees get locked out — and without it enabled at all, accounts are exposed.

The app works by storing cryptographic keys tied to each account you register. Those keys live on your phone. That's the part that causes problems when you switch devices — the keys don't transfer automatically unless you've set up cloud backup in advance.

What Happens to Microsoft Authenticator When You Get a New Phone?

When you switch phones, your Authenticator accounts don't automatically appear on the new device. The app's cryptographic keys are stored locally on your old phone, so unless you've enabled the built-in backup feature — iCloud for iPhone or a Google account for Android — you'll need to re-register each account manually or have an IT administrator reset your MFA methods.

Here's what typically happens depending on your situation:

  • You backed up before switching — Restoring from backup on the new phone usually recovers your accounts, but some accounts (especially those with hardware-level security requirements) may still require re-registration.
  • You didn't back up and still have the old phone — You can transfer accounts directly using the built-in account transfer feature inside the Authenticator app.
  • You didn't back up and the old phone is gone — You'll need your IT administrator or Microsoft 365 admin to reset your authentication methods so you can re-enroll on the new device.
  • Your company uses Entra ID with Conditional Access — An admin may need to clear your registered devices and MFA methods before you can complete re-registration on a new device.

The good news: none of these scenarios are disasters if you know who to call. For businesses working with business IT support from Netsafe Solutions, this is a routine ticket — usually resolved in under 30 minutes remotely.

How Do You Transfer Microsoft Authenticator to a New Phone?

The safest path is to use Microsoft Authenticator's built-in transfer tools before you wipe or return your old phone. Here's the step-by-step process for the two most common scenarios.

Option 1: Restore from Cloud Backup (Recommended)

If you enabled cloud backup on your old phone before switching, this is the cleanest path.

  • iPhone users: Open Authenticator on the old phone, go to Settings, and confirm "iCloud Backup" is toggled on. Install Authenticator on the new iPhone, sign in with the same personal Microsoft account, and choose "Restore from backup" when prompted.
  • Android users: Open Authenticator on the old phone, go to Settings, and confirm "Cloud Backup" is on and linked to your Google account. Install Authenticator on the new Android device, sign in with the same Google account, and restore your accounts.

After restoring, verify that each account works by completing a test sign-in. Some work or school accounts may require you to approve the new device through your organization's portal before they function fully.

Option 2: Use the In-App Account Transfer Feature

If you still have access to your old phone, you can use Authenticator's built-in migration tool — no backup required.

  • On your old phone, open Authenticator, tap the three-dot menu, and choose "Move accounts to another device" (or "Export accounts" depending on your version).
  • A QR code will appear on your old phone.
  • On your new phone, install Authenticator, tap "Add account," then select "Import accounts" and scan the QR code from your old phone.
  • Verify each account with a test login before wiping the old device.

This method works well for personal Microsoft accounts and many third-party accounts. Work or school accounts managed through Entra ID may still require IT admin involvement, depending on your company's security policies.

Option 3: Re-Register Through Your Microsoft 365 Portal

If you can still access your Microsoft 365 account through a browser (on a computer, for example), you can add a new authentication method directly:

  • Go to aka.ms/mfasetup and sign in.
  • Add your new phone as an authentication device.
  • Follow the prompts to scan a QR code with Authenticator on your new phone.
  • Once confirmed, remove the old phone from your registered methods.

This is the self-service path and works when you're not fully locked out — meaning you can still receive a temporary code via email or a backup method during sign-in.

What If You Didn't Back Up Before Switching Phones?

You're locked out of Microsoft 365, you don't have your old phone, and Authenticator is empty on your new device. This is stressful, but it's fixable — and it happens regularly. Here's what to do.

Step 1: Contact Your IT Administrator

If your company has a managed IT provider or an internal IT team, this is their job. A Microsoft 365 administrator can reset your MFA registration through the Entra ID admin portal — clearing your old device and allowing you to re-enroll fresh on your new phone. This takes minutes when someone has admin access.

For Netsafe Solutions clients, this is a standard help desk ticket. We resolve approximately 98% of support tickets remotely — and an MFA reset is one of the quickest fixes we handle.

Step 2: Use a Backup Sign-In Method

If your organization configured backup authentication methods when you originally enrolled, you may be able to sign in using:

  • An SMS code sent to your phone number
  • A backup email code
  • A hardware token (if your company issued one)
  • Temporary Access Pass (TAP) — a time-limited code an admin can generate for you through Entra ID

Temporary Access Pass is the most reliable admin-side solution. If your IT provider manages your Microsoft 365 environment, ask them to generate one — it bypasses MFA temporarily so you can sign in, update your authentication methods, and get Authenticator working on the new phone.

Step 3: Prevent This From Happening Again

Once you're back in, enable cloud backup in Authenticator immediately. And register at least two authentication methods — Authenticator plus a backup phone number or email. One method is never enough.

Organizations that manage their M365 environment through a security gap analysis often discover that employees only have a single MFA method registered — which is a support incident waiting to happen.

How Does Microsoft Authenticator Fit Into a Layered Security Strategy?

Microsoft Authenticator is one layer — an important one — but it's not a complete security strategy on its own. For Charlotte businesses managing sensitive data, customer records, or financial information, MFA is the floor, not the ceiling.

At Netsafe Solutions, we build security in layers around Microsoft 365 environments:

  • Entra ID Conditional Access — controls which devices and locations can access your Microsoft 365 apps, even after a successful MFA verification. A stolen password plus a compromised authenticator code isn't enough to get in if Conditional Access blocks the device or location.
  • SentinelOne EDR — monitors endpoints for threats that bypass login controls entirely, like malware that steals session tokens after authentication.
  • Black Point Cyber SOC Cloud Response — our managed detection and response team watches your Microsoft 365 tenant 24/7 for signs of account compromise — including suspicious logins, forwarding rules, and malicious app consent — with an average response time of 7 minutes. Even if an attacker gets through MFA, the SOC can disable the account before damage is done.
  • Checkpoint Harmony email security — blocks the phishing emails most commonly used to steal credentials and trick users into approving fraudulent Authenticator push notifications (known as MFA fatigue attacks).
  • DefensX DNS filtering — prevents devices from reaching credential-harvesting sites, even if a user clicks a phishing link.

MFA protects the front door. The tools above protect everything behind it. Each is priced separately on a month-to-month basis — Netsafe builds the stack around what your business actually needs, not a forced bundle. Contact Netsafe Solutions for a custom quote on the right combination for your environment.

Key Statistics — MFA and Account Security

  • Accounts with MFA enabled are 99.9% less likely to be compromised than those without it (Microsoft Security, 2023).
  • 81% of hacking-related breaches involve stolen or weak passwords — MFA directly addresses this attack vector (Verizon 2025 Data Breach Investigations Report).
  • MFA fatigue attacks — where attackers flood users with push notification requests until one is accidentally approved — increased by over 100% between 2022 and 2024 (Blackpoint Cyber Threat Intelligence, 2024).
  • The average cost of a data breach in the United States reached $9.36 million in 2024 — the highest of any country (IBM 2024 Cost of a Data Breach Report).
  • Only 26% of organizations have deployed phishing-resistant MFA (CISA, 2024) — leaving the majority dependent on standard TOTP or push notification methods that can be bypassed.

Frequently Asked Questions — Microsoft Authenticator New Phone

Can I transfer Microsoft Authenticator to a new phone without losing my accounts?

Yes — if you set up cloud backup before switching phones, your accounts can be restored on the new device through iCloud (iPhone) or your Google account (Android). If you didn't enable backup, you can still transfer accounts using the in-app migration feature while you have access to your old phone, or have an IT admin reset your MFA methods if you're locked out.

Do I need my IT department to switch Microsoft Authenticator to a new phone?

Not always. If you have cloud backup enabled and can complete a self-service restore, you may not need IT involvement at all. However, if your account is managed through Microsoft Entra ID with strict Conditional Access policies, your IT administrator may need to reset your registered devices or generate a Temporary Access Pass before you can re-enroll on the new phone.

What happens if I get a new phone and don't transfer Authenticator first?

You'll lose access to any codes stored on the old device. For accounts where Authenticator is your only registered MFA method, you'll be locked out until an admin resets your authentication methods or you use a backup verification option. This is why it's critical to register at least two MFA methods — Authenticator plus a backup phone number or email.

Is Microsoft Authenticator safe to use for business accounts?

Yes — Microsoft Authenticator is one of the most secure MFA apps available and is the recommended option for Microsoft 365 business accounts. For stronger protection, consider using number matching (enabled through Entra ID), which requires you to match a displayed number before approving a push notification — this defeats MFA fatigue attacks where criminals spam approval requests.

What is a Temporary Access Pass and how do I get one?

A Temporary Access Pass (TAP) is a time-limited, admin-generated passcode that allows you to sign into Microsoft 365 without your usual MFA method. It's used specifically when you're locked out due to a lost or replaced phone. Your IT administrator generates it through the Entra ID admin portal — it expires after a set time window and can only be used to update your authentication methods, not for general access. If Netsafe Solutions manages your Microsoft 365 environment, contact our help desk and we'll generate one for you.

How do I make sure this doesn't happen again when I switch phones in the future?

Enable cloud backup in Authenticator right now — it takes 30 seconds. On iPhone, go to Settings in the app and toggle on iCloud Backup. On Android, toggle on Cloud Backup and link it to a Google account. Also register a second MFA method in your Microsoft 365 security settings at aka.ms/mfasetup — a backup phone number or email means you're never completely locked out if one method fails.

Managing MFA across a team of employees — especially during phone upgrades, device replacements, and onboarding — is exactly the kind of recurring IT work that consumes hours when you handle it internally. Netsafe Solutions manages Microsoft 365 identity and security for businesses across the Charlotte metro, including Entra ID configuration, Conditional Access policies, and MFA administration so your team stays protected and productive without the headaches.

Ready to stop worrying about account security every time someone gets a new phone? Let's talk — or explore our cybersecurity services and compliance services to see how Netsafe Solutions builds security that works for your business, not against it.
Topics
IT SupportMicrosoft 365 Migration
N

Netsafe Solutions

Netsafe Solutions — Charlotte's Managed IT & Cybersecurity Partner

Netsafe Solutions has been delivering managed IT, cybersecurity, and Microsoft 365 services to Charlotte businesses since 2003. We cover the Carolinas with a team of 15+ certified technicians and 100+ active clients.

Keep reading

Tech companies in Charlotte NC serving local businesses with managed IT support

Tech Companies in Charlotte, NC: What to Know

Apr 17, 2026 8:02:03 AM

 Employee frustrated by Windows Sticky Keys popup interrupting work on office computer

Sticky Keys Popup Keeps Appearing? Here's the Fix

Apr 16, 2026 5:15:16 PM

 VoIP phone system setup for a Charlotte NC small business

VoIP Phone Systems in Charlotte, NC: What to Know

Apr 16, 2026 5:15:15 PM

Need help with your IT in Charlotte?

We manage IT, cybersecurity, and Microsoft 365 for businesses across the Carolinas. Get a straight assessment with no sales pressure.

Talk to an Expert