2FA

Setting up Microsoft Authenticator on a Second Device

Look, maybe this is old news but it’s new to me!  I like to think of this as more of a ‘how to‘ for me since I’m likely to run into this in a year or so 🙂

Two Factor Authentication (2FA) / Two-Step Verification (2SV) / Multi-Factor Authentication (MFA)

Years ago I setup the Microsoft Authenticator for my personal Microsoft account and I love how it not only makes the sign-in process easy, but gives me peace of mind that should my password get compromised, I have that extra layer of protection.  I’m a strong supporter of two factor authentication (2FA) or two step verification (2SV) and I urge everyone to enable it where possible so if you haven’t already done so, get 2FA/2SV setup on your Microsoft account.  Go ahead, I’ll wait:

Multi-Factor Authentication (MFA) for Azure AD

When our organization started focusing more on Azure AD, it only made sense that we would create a Conditional Access Baseline Policy to require our Azure admins to setup multi-factor authentication MFA.  With that policy in place, the process of setting up my corporate account in the Microsoft Authenticator was quite simple.

Setting Up 2FA for Personal Accounts

Fast forward some time later: During Google Fi’s special birthday promotion I managed to secure a Pixel 3 XL and when it arrived it was time to get the Microsoft Authenticator setup for my corporate accounts.  Having been through the process of adding accounts to authenticator apps multiple times, I assumed it was going to be simple:

  1. Open the Microsoft Authenticator app
  2. Tap the menu button (three dots in the top right) & select + Add Account
  3. Select Work or school account
  4. Enter in my corporate email
  5. Be redirected to our identity provider
  6. Enter my corporate credentials
  7. Accept the authentication prompt on my original phone
  8. All setup!

Turns out I was very wrong because, to my surprise, at step 4 I was prompted to scan a QR code or enter in the details manually.

Setting up MFA for Azure AD Accounts

While configuring 2FA/2SV/MFA for personal accounts starts from within the Microsoft Authenticator, setting up MFA for Azure AD accounts for the first time typically happens during your first login after the organization has enabled your account for MFA.  This is really easy as it steps you through a wizard like process and takes a minute or so.  However if you need to setup the Microsoft Authenticator on a new device, you are required to initiate the process from within your tenant while logged in using the account you want to configure MFA for.  There are a few ways to get to where you want to go, this is one of them:

Method 1

  1. Login to https://portal.azure.com
  2. Click your name/avatar in the top right
  3. Click View Account
  4. On the following page click the Additional security verification link on the right

Method 2

  1. Login to https://myapps.microsoft.com with your corporate credentials
  2. Click your avatar in the top right
  3. Select Profile in the drop down
  4. On the following page click the Additional security verification link on the right

Missing the ‘Additional security verification’ Link?

When I’m login with my Azure account that has been added to the Global Administrator role, the ‘Additional security verification’ link is not present when I view my profile/account.  However when I login with my standard account, the link is present.  I assume this has to do with the conditional access policy but I have not been successful in locating official documentation so your guess is as good as or better than mine.  The good news is there are a few warp zones to get you where you want to be!

Configuring Authentication Verification Options

Once you’re on the ‘Additional security verification’ page

Authenticator__ASV

You can configure the methods you want to use to verify your identity (notification vs code vs phone number if allowed by your organization) but most importantly you can setup an Authenticator app

  1. In the browser, click the ‘Setup Authenticator app’ button and within a few moments you’ll see this:
    • 2SV-Barcode
  2. On your phone, open the Microsoft Authenticator app and:
    • iOS: Select + to add an account.
    • Android: Tap the three dots then + Add account
  3. Select Work or school account
  4. Scan the QR code
  5. Back in the browser, click the Done button
  6. On your phone positively acknowledge the authenticator prompt to verify it’s been setup correctly

Great Documentation

So my sleuthing didn’t require more than 5 minutes of time thanks to the great documentation Microsoft has been creating and/or updating over the past few years.  Everything covered here is listed below and I recommend you give it a read. 🙂

Two-step verification overview
Manage your settings for two-step verification

Good Providence to you!