Why a Lost Work Phone Is a Security Incident, Not Just an Inconvenience
Losing a work phone feels stressful enough on its own. But the real problem is not the device itself — it is everything it unlocks. A company mobile typically holds active sessions for Microsoft 365, Teams, Outlook, and corporate VPN. It may be running an authenticator app generating MFA codes every thirty seconds. It almost certainly has access to shared files, contacts, and internal communications.
In the wrong hands, that phone is a master key. Whoever has it may be able to read emails, approve their own authentication requests, reset passwords, and access cloud storage — all without knowing a single credential. That is why a lost or stolen work phone must be treated as a security incident from the moment you realise it is missing.
The steps below are written in order of urgency. The first ten minutes matter most.
Immediate Steps to Take (In Order of Urgency)
1. Report to IT Immediately
Your first call should be to your IT team or helpdesk, not to the phone network. IT can begin remote access revocation, check audit logs, and initiate a device wipe before any of the other steps are possible. Do not wait until you are sure the phone is stolen rather than mislaid — report it lost and escalate if it turns up.
If your organisation has an incident response procedure, this is the moment to trigger it. Log the time you noticed the phone was missing, the last known location, and whether the screen was locked.
2. Sign Out of All Microsoft 365 Sessions Remotely
While IT is actioning their side, you can revoke active Microsoft 365 sessions yourself from any browser. Go to myaccount.microsoft.com, sign in, and navigate to Devices or Security Info. From the Security section, look for the option to sign out of all sessions. This terminates active tokens for Outlook, Teams, SharePoint, and OneDrive on the missing device immediately.
Your IT administrator can also do this from the Microsoft Entra admin centre (formerly Azure Active Directory) by revoking the user’s refresh tokens directly — which is faster and more thorough.
3. Initiate a Remote Wipe
If your organisation uses Microsoft Intune or another mobile device management platform, IT can issue a remote wipe command that erases all corporate data from the device. Depending on the enrolment type, this can be a selective wipe (removing only company data and apps, leaving personal content intact) or a full factory reset.
If the device is not enrolled in MDM, the built-in platform options are the next best thing. For iPhones, use iCloud.com and the Find My feature to lock and wipe the device. For Android, use android.com/find via a Google account to secure or erase it remotely. Both require the device to have been signed into the relevant account beforehand, which is why this should be set up as standard during device provisioning.
4. Revoke MFA Tokens and Change the Account Password
If the phone was running Microsoft Authenticator or another TOTP app, whoever holds it can currently generate valid MFA codes for your account. IT should revoke all registered MFA methods and force re-registration from a trusted device. Your password must also be changed immediately — not later that day, right now.
Once the password is changed and MFA tokens are revoked, any active session that survived the earlier sign-out will be terminated when it next attempts to validate.
5. Check Audit Logs for Suspicious Activity
Ask IT to review the Microsoft 365 audit log and sign-in logs in Entra for any activity from the device after it was lost. Look for logins from unusual locations, email forwarding rules that were not there before, file downloads from SharePoint or OneDrive, and any changes to account settings. Acting quickly means there is a good chance the window of exposure is short — but you need to verify that.
What Your IT Team Can Do With MDM in Place
Organisations that have enrolled devices in a mobile device management solution such as Microsoft Intune, Jamf, or VMware Workspace ONE have significantly more control. From a central console, IT can:
- Remotely lock the device with a PIN IT sets, preventing any access immediately
- Issue a selective or full remote wipe, erasing corporate data or the entire device
- Remove corporate email profiles, VPN configurations, and managed apps
- Disable the device’s ability to authenticate to corporate resources via compliance policies
- Generate a report of which apps and data were on the device at the time of loss
MDM enrolment is the single most effective tool for responding to a lost device. Without it, your options are considerably more limited and depend on what the user set up personally before the loss occurred.
What to Do If There Is No MDM in Place
If the device was not enrolled in MDM, users must rely on built-in platform controls and account-level revocation. The steps are:
- Use iCloud Find My (iPhone) or Google Find My Device (Android) to lock or erase the handset
- Contact your mobile network provider to bar the SIM using the IMEI number — this prevents calls and data usage on the network
- Revoke Microsoft 365 sessions and MFA tokens as described above
- Remove the device from any accounts it was registered to (Apple ID, Google account, Microsoft account)
- Notify your IT team so they can document the incident even if they cannot take direct action on the device
The absence of MDM is a gap that should be addressed before the next device is issued. This incident is the evidence needed to make that case internally.
After the Immediate Response: Review and Document
Once the immediate threat is contained, the incident is not over. Your organisation should conduct a brief post-incident review to understand what data was accessible, for how long, and whether any suspicious activity occurred before access was revoked.
Document the timeline, the actions taken, and any gaps in the response. If your organisation is subject to UK GDPR and personal data may have been accessible on the device, you need to assess whether a breach notification to the ICO is required within 72 hours of becoming aware of the incident. Take legal advice if you are unsure.
Update your incident response plan to reflect what worked and what slowed the response down. A lost phone drill — running through the steps with IT before it actually happens — is worth the hour it takes.
How to Prevent It Next Time
Prevention does not stop phones from being lost, but it dramatically reduces the impact when they are. The key controls to have in place are:
- MDM enrolment for all company devices — non-negotiable if your organisation issues or allows phones for work use
- Strong device PIN or biometric lock — a six-digit PIN at minimum, Face ID or fingerprint preferred; auto-lock should be set to 30 seconds or less
- Conditional Access policies in Microsoft Entra — require devices to be compliant and enrolled before they can access corporate resources
- Disable SMS-based MFA — SMS codes can be intercepted or accessed via a SIM; use an authenticator app or hardware key instead
- Encrypt device storage — both iOS and modern Android devices encrypt by default, but verify this is enforced via policy
- Remote wipe pre-configured — ensure Find My (iPhone) or Find My Device (Android) is enabled on every device at setup
Frequently Asked Questions
Can someone access my work email if the phone is locked?
If the device has a strong PIN or biometric lock, direct access is unlikely without specialist tools. However, an unlocked phone or a weak PIN is all it takes. This is why revoking server-side sessions immediately is critical — it cuts off access regardless of whether the device itself is physically locked.
Will a remote wipe work if the phone is switched off?
The wipe command will be held in a queue and execute the moment the device comes back online and connects to the internet or a mobile network. It will not work if the device is permanently powered off or the SIM is removed and it never reconnects — which is another reason to bar the SIM with your network provider as a belt-and-braces measure.
Do I need to report a lost work phone to the police?
If the phone was stolen rather than lost, reporting it to the police and obtaining a crime reference number is advisable. Your employer’s insurance may require it, and it provides a formal record of the incident. The IMEI number — found on the original box or in your account settings — should be included in the report so the device can be flagged with networks.
What if the lost phone had the Microsoft Authenticator app on it?
This is one of the most urgent scenarios. Whoever has the phone can generate valid MFA codes for your Microsoft account unless those codes are revoked. IT must remove the authenticator device from your account settings in Entra immediately and re-register MFA on a trusted device. Do not wait — treat this as the top priority alongside changing your password.






