Microsoft Authenticator is the app your IT team is probably already asking you to install. Whether you are setting up multi-factor authentication (MFA) for a Microsoft 365 work account or moving to passwordless sign-in, Authenticator is the recommended method for most business environments. This guide walks you through everything: downloading the app, adding your work account, enabling passwordless sign-in, and dealing with the most common problems.
What Is Microsoft Authenticator and Why Do Businesses Use It?
Microsoft Authenticator is a free security app from Microsoft, available on both iOS and Android. It serves two main purposes in a business context.
First, it acts as an MFA method. When you sign in to Microsoft 365 with your username and password, Authenticator provides the second factor — either a push notification you approve or a six-digit one-time code. This significantly reduces the risk of account compromise even if your password is stolen.
Second, it supports passwordless phone sign-in. With this enabled, you do not type a password at all. Instead, you approve a number-matching prompt on your phone. This is faster and more secure than passwords alone, which is why many organisations are moving to it as their default sign-in method.
How to Download Microsoft Authenticator
The app is free and available on both major platforms.
- iPhone and iPad: search for “Microsoft Authenticator” in the App Store, or scan the QR code provided by your IT team. The publisher should show as Microsoft Corporation.
- Android: search for “Microsoft Authenticator” on Google Play. Again, verify the publisher is Microsoft Corporation before installing.
Once installed, open the app and accept any permissions it requests — camera access is needed for QR code scanning, and notification access is required for approval requests.
Adding Your Work or School Account
There are two common scenarios for adding a Microsoft 365 work account to Authenticator. The method depends on whether your IT team has triggered an MFA setup prompt or whether you are adding a method yourself through your account settings.
Via QR Code During MFA Setup (IT-Triggered)
This is the most common scenario. Your organisation enables MFA on your account, and the next time you sign in you are prompted to set it up.
- Sign in to Microsoft 365 at office.com or portal.microsoft.com with your work credentials.
- When prompted with “More information required”, click Next.
- On the “Keep your account secure” screen, select “Microsoft Authenticator” if it is not already selected, then click Next.
- On your phone, open Microsoft Authenticator. Tap the plus icon in the top right corner and choose “Work or school account”, then select “Scan a QR code”.
- Point your phone’s camera at the QR code displayed on your computer screen.
- Once scanned, your account will appear in the app. Click Next on the computer.
- A test notification will be sent to your phone. Approve it by tapping “Approve” and entering the two-digit number shown on your screen if prompted.
- Click Next and then Done. Your account is now registered.
Via Security Info (Self-Service)
If you want to add or change your MFA method yourself, or if your organisation allows self-service security info management:
- Go to myaccount.microsoft.com and sign in with your work account.
- Select “Security info” from the left-hand menu.
- Click “Add sign-in method” and choose “Authenticator app” from the dropdown.
- Follow the on-screen steps, which will guide you through the same QR code scanning process described above.
Setting Authenticator as Your Default Sign-In Method
If you have multiple MFA methods registered (such as a phone number and the Authenticator app), you should set Authenticator as your default to ensure you always get the faster push notification experience.
- Go to myaccount.microsoft.com and select “Security info”.
- Look for the “Default sign-in method” section at the top of the page.
- Click “Change” and select “Microsoft Authenticator — notification” from the list.
- Click Confirm.
From this point forward, when you sign in to any Microsoft 365 service, the app notification will be sent automatically without you needing to choose a method each time.
Passwordless Phone Sign-In
Passwordless sign-in removes the password step entirely. You enter your email address, and Microsoft sends an approval to your phone. You unlock your phone and tap Approve — no password required.
To enable it for your work account:
- Open Microsoft Authenticator on your phone.
- Tap your work account (shown by your name and email address).
- Tap “Enable phone sign-in” if the option is available. If you do not see this option, your organisation may not have enabled the feature — check with your IT team.
- Follow the prompts to register your device. You may be asked to set up a PIN or biometric lock on your phone if you have not already done so.
Note that some organisations restrict passwordless sign-in through Conditional Access policies. If the option is greyed out or unavailable, your IT administrator controls this setting.
Getting a New Phone: Transferring Microsoft Authenticator
This is one of the most common pain points. If you get a new phone and your old phone is no longer available, you cannot simply restore a backup and expect Authenticator to work — the keys are device-specific for security reasons.
The recommended approach is to set up cloud backup before switching phones.
- On iPhone: open Authenticator, go to Settings, and enable iCloud backup. When you set up the app on your new iPhone and sign in with the same personal Microsoft account used for backup, your accounts will restore.
- On Android: open Authenticator, go to Settings, and enable cloud backup (linked to a personal Microsoft account). On your new device, sign in with the same account to restore.
If you did not set up a backup and have already lost access to your old phone, contact your IT helpdesk. They can reset your MFA methods from the Microsoft Entra admin centre, allowing you to re-register Authenticator on your new device.
Common Issues and How to Fix Them
Not Receiving Approval Requests
If approval notifications are not arriving, check the following. Make sure notifications are enabled for Microsoft Authenticator in your phone’s Settings app. On Android, also check that battery optimisation is not preventing the app from running in the background — add Authenticator to the “unrestricted” or “don’t optimise” list. On iPhone, ensure Background App Refresh is enabled for Authenticator.
Authenticator Is Blocked by Your Organisation
Some organisations enforce Conditional Access policies that require devices to be compliant or enrolled in mobile device management (MDM) before Authenticator can be used. If you see an error stating your device is not compliant, you will need to enrol your phone in your company’s MDM solution (typically Microsoft Intune) before MFA registration will succeed. Your IT team can guide you through this process.
The QR Code Will Not Scan
If the QR code scan fails, check that camera permissions are granted to Microsoft Authenticator. If the problem persists, use the “Or enter code manually” link on the computer screen — this gives you a code and URL to type directly into the app instead of scanning.
Frequently Asked Questions
Can I use Microsoft Authenticator for personal Microsoft accounts as well as work accounts?
Yes. The app supports personal Microsoft accounts, work or school accounts, and third-party accounts that use the TOTP standard. All accounts are listed separately within the app.
Is Microsoft Authenticator safe to use?
Yes. Authenticator uses industry-standard cryptographic methods and stores credentials securely on your device. It is significantly safer than receiving MFA codes via SMS, which can be intercepted through SIM-swapping attacks.
What happens if I lose my phone?
Contact your IT helpdesk as soon as possible. They can disable your MFA methods remotely and help you re-register on a new device. If cloud backup was enabled, restoring your accounts on a new phone is straightforward once your IT team resets your registration.
Do I need an internet connection to use the one-time codes?
No. The six-digit TOTP codes generated by Authenticator work offline — they are time-based and do not require a network connection. However, push notifications (the Approve/Deny prompts) do require an internet connection on your phone.






