Getting a new phone is exciting — until you realize your Microsoft Authenticator codes didn't automatically follow you. For Charlotte businesses relying on multi-factor authentication (MFA) to protect Microsoft 365 accounts, a phone switch without preparation can lock employees out of email, Teams, SharePoint, and every other critical tool. This guide walks you through exactly what to do before and after switching phones, and what to do if you're already locked out. According to Microsoft's own security data, accounts protected by MFA are 99.9% less likely to be compromised — which means keeping Authenticator working is non-negotiable.
Microsoft Authenticator is a free mobile app that generates time-based one-time passcodes (TOTP) and push notification approvals used to verify your identity when logging into Microsoft 365 and other connected apps. It's the most common second factor used in business MFA deployments — sitting between your password and your account.
For businesses using Microsoft 365 services, Authenticator isn't optional. It's the backbone of Conditional Access policies, Entra ID sign-in protection, and zero-trust access controls. Without it working correctly, employees get locked out — and without it enabled at all, accounts are exposed.
The app works by storing cryptographic keys tied to each account you register. Those keys live on your phone. That's the part that causes problems when you switch devices — the keys don't transfer automatically unless you've set up cloud backup in advance.
When you switch phones, your Authenticator accounts don't automatically appear on the new device. The app's cryptographic keys are stored locally on your old phone, so unless you've enabled the built-in backup feature — iCloud for iPhone or a Google account for Android — you'll need to re-register each account manually or have an IT administrator reset your MFA methods.
Here's what typically happens depending on your situation:
The good news: none of these scenarios are disasters if you know who to call. For businesses working with business IT support from Netsafe Solutions, this is a routine ticket — usually resolved in under 30 minutes remotely.
The safest path is to use Microsoft Authenticator's built-in transfer tools before you wipe or return your old phone. Here's the step-by-step process for the two most common scenarios.
If you enabled cloud backup on your old phone before switching, this is the cleanest path.
After restoring, verify that each account works by completing a test sign-in. Some work or school accounts may require you to approve the new device through your organization's portal before they function fully.
If you still have access to your old phone, you can use Authenticator's built-in migration tool — no backup required.
This method works well for personal Microsoft accounts and many third-party accounts. Work or school accounts managed through Entra ID may still require IT admin involvement, depending on your company's security policies.
If you can still access your Microsoft 365 account through a browser (on a computer, for example), you can add a new authentication method directly:
This is the self-service path and works when you're not fully locked out — meaning you can still receive a temporary code via email or a backup method during sign-in.
You're locked out of Microsoft 365, you don't have your old phone, and Authenticator is empty on your new device. This is stressful, but it's fixable — and it happens regularly. Here's what to do.
If your company has a managed IT provider or an internal IT team, this is their job. A Microsoft 365 administrator can reset your MFA registration through the Entra ID admin portal — clearing your old device and allowing you to re-enroll fresh on your new phone. This takes minutes when someone has admin access.
For Netsafe Solutions clients, this is a standard help desk ticket. We resolve approximately 98% of support tickets remotely — and an MFA reset is one of the quickest fixes we handle.
If your organization configured backup authentication methods when you originally enrolled, you may be able to sign in using:
Temporary Access Pass is the most reliable admin-side solution. If your IT provider manages your Microsoft 365 environment, ask them to generate one — it bypasses MFA temporarily so you can sign in, update your authentication methods, and get Authenticator working on the new phone.
Once you're back in, enable cloud backup in Authenticator immediately. And register at least two authentication methods — Authenticator plus a backup phone number or email. One method is never enough.
Organizations that manage their M365 environment through a security gap analysis often discover that employees only have a single MFA method registered — which is a support incident waiting to happen.
Microsoft Authenticator is one layer — an important one — but it's not a complete security strategy on its own. For Charlotte businesses managing sensitive data, customer records, or financial information, MFA is the floor, not the ceiling.
At Netsafe Solutions, we build security in layers around Microsoft 365 environments:
MFA protects the front door. The tools above protect everything behind it. Each is priced separately on a month-to-month basis — Netsafe builds the stack around what your business actually needs, not a forced bundle. Contact Netsafe Solutions for a custom quote on the right combination for your environment.
Yes — if you set up cloud backup before switching phones, your accounts can be restored on the new device through iCloud (iPhone) or your Google account (Android). If you didn't enable backup, you can still transfer accounts using the in-app migration feature while you have access to your old phone, or have an IT admin reset your MFA methods if you're locked out.
Not always. If you have cloud backup enabled and can complete a self-service restore, you may not need IT involvement at all. However, if your account is managed through Microsoft Entra ID with strict Conditional Access policies, your IT administrator may need to reset your registered devices or generate a Temporary Access Pass before you can re-enroll on the new phone.
You'll lose access to any codes stored on the old device. For accounts where Authenticator is your only registered MFA method, you'll be locked out until an admin resets your authentication methods or you use a backup verification option. This is why it's critical to register at least two MFA methods — Authenticator plus a backup phone number or email.
Yes — Microsoft Authenticator is one of the most secure MFA apps available and is the recommended option for Microsoft 365 business accounts. For stronger protection, consider using number matching (enabled through Entra ID), which requires you to match a displayed number before approving a push notification — this defeats MFA fatigue attacks where criminals spam approval requests.
A Temporary Access Pass (TAP) is a time-limited, admin-generated passcode that allows you to sign into Microsoft 365 without your usual MFA method. It's used specifically when you're locked out due to a lost or replaced phone. Your IT administrator generates it through the Entra ID admin portal — it expires after a set time window and can only be used to update your authentication methods, not for general access. If Netsafe Solutions manages your Microsoft 365 environment, contact our help desk and we'll generate one for you.
Enable cloud backup in Authenticator right now — it takes 30 seconds. On iPhone, go to Settings in the app and toggle on iCloud Backup. On Android, toggle on Cloud Backup and link it to a Google account. Also register a second MFA method in your Microsoft 365 security settings at aka.ms/mfasetup — a backup phone number or email means you're never completely locked out if one method fails.
Managing MFA across a team of employees — especially during phone upgrades, device replacements, and onboarding — is exactly the kind of recurring IT work that consumes hours when you handle it internally. Netsafe Solutions manages Microsoft 365 identity and security for businesses across the Charlotte metro, including Entra ID configuration, Conditional Access policies, and MFA administration so your team stays protected and productive without the headaches.
Ready to stop worrying about account security every time someone gets a new phone? Let's talk — or explore our cybersecurity services and compliance services to see how Netsafe Solutions builds security that works for your business, not against it.