Skip to content

Azure Cloud & AI Domain Blog

AC&AI domain is the largest technology domain within the Microsoft Consulting Services Organization. We aim to deliver world-class solutions with our team of expert Consultants, Project Managers and Architects across Data & AI, Apps, Security and Azure Infrastructure

Use the Microsoft Authenticator application as backup sign-in method when mobile device has no connectivity.

Johan Heyneke Azure MFA, Identity, Microsoft Authenticator Application, Security February 13, 2023February 13, 2023 3 Minutes

You can use the Microsoft Authenticator application to complete MFA (Multi-Factor Authentication) sign-in when your mobile device has no connectivity. The Authenticator application functions as the primary and backup sign-in method.


Scenario

The scenario for this would be that you have connectivity on your workstation to access cloud applications, but your mobile device has no connectivity. This could be an issue with data connectivity only or complete connectivity issues on the mobile device such as having no signal.

When push notification is enabled for the Microsoft Authenticator application you would receive a notification on your device which you can approve or deny to complete sign-in. When your mobile device has no data, you will not be able to receive these push notifications.

You won’t be able to receive any text (SMS) messages when your mobile device has no signal. This would mean that you also cannot use the text method as a backup sign-in method. This may be a concern as you may think that you will not be able to complete the sign-in request in these situations.

The Microsoft Authenticator application provides a backup sign-in method when configured to use push notifications. This backup method can be used in situations when you have no connectivity on your mobile device.

MFA number matching changes the “Approve” or “Deny” behavior and will be enabled by default after 27 February 2023. You can read more on number matching in my other blog post.


Backup sign-in method

The Microsoft Authenticator application automatically generated codes which can be used for sign-ins even when push notification is set as your default sign-in method. The auto generated code can be used as a backup sign-in method when your mobile device has no connectivity.


Using the Microsoft Authenticator auto generated code as backup sign-in method

The user configured the Microsoft Authenticator with push notifications as the default sign-in method. Phone (Text) is also configured as a sign-in method.



The default behavior during sign-in with this configuration would be a notification on my mobile device to approve the sign-in request. Number matching is enabled for this user, thus the prompt on my workstation would appear as per the image below:



The mobile device is set to airplane mode to simulate the scenario of having no connectivity. This results in not being able to approve the sign-in request using the Microsoft Authenticator application. I also won’t be able to receive a text message on my mobile device to complete the sign-in. It may seem that I do not have any available sign-in method to complete the sign-in request.



I can wait for the timeout to occur and select “Enter a security code from your Microsoft account or authenticator app instead” on the sign-in window as per image below:



This will take me directly to the next window which will prompt for the code:



I can also select “I can’t use my Microsoft Authenticator app right now” on the sign-in window instead of waiting for the request to time out.



This will prompt me to select an alternative sign-in method based on the available methods configured during MFA setup or added later using the “My Security Info” page. I won’t be able to use text thus I will select “Use a verification code”.



This will take me to the sign-in window prompting to enter the code:



I can obtain the code by selecting the appropriate account in the Microsoft Authenticator application.



I can now use the code from the Authenticator application to complete the sign-in request. The code will continue to change every 30 seconds even with no connectivity on the mobile device.




Summary

The Microsoft Authenticator application can be used as your primary and backup sign-in method. You don’t need to rely on a text message and can still complete a sign-in request when your mobile device has no connectivity.


Author

  • Johan Heyneke
Share This Post
  • Facebook
  • Twitter
  • Linkedin
  • Reddit
  • email
  • Tagged
  • Azure
  • backup sign-in
  • Deep Technical
  • Microsoft Authenticator
  • Offline MFA
Published February 13, 2023February 13, 2023

Post navigation

Previous Post Azure MFA | Number Matching Enabled by Default
Next Post Let’s automate your SOC

You must log in to post a comment.

Search This Blog

  • Tags
  • Deep Technical
  • Microsoft Delivery Approach
  • Industry Solutions

Categories

  • Active Directory
  • Azure
  • Azure Active Directory
  • Azure MFA
  • Azure Monitor
  • Azure Sentinel
  • BI and Analytics
  • Certification
  • Defender
  • DevOps
  • Failover Clustering
  • Group Policy
  • Hyper-V
  • Identity
  • Intune
  • KMS
  • KQL
  • Log Analytics
  • Logic Apps
  • Microservices
  • Microsoft 365 Defender
  • Microsoft Authenticator Application
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Endpoint Manager
  • Microsoft Intune
  • Microsoft Sentinel
  • Office 365
  • OMS
  • Performance
  • PowerShell
  • Security
  • SIEM
  • SOAR
  • Soft Skills
  • System Center
  • Uncategorized
  • Windows
  • WSUS
  • WVD

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts by email.

About

  • Contact Us
  • Disclaimer
 

Loading Comments...
 

You must be logged in to post a comment.