Skip to Content

Restoring Microsoft Authenticator on a New Device

If you’ve replaced your phone and need to get Microsoft Authenticator working again for SMU logins, follow the steps below. SMU currently only supports these authentication methods for verification:

Important:
Don’t erase or reset your old phone until you’ve successfully set up your new one. You’ll need to approve the new registration using one of your existing trusted sign-in methods.

🔐 Supported SMU Sign-In Methods

SMU currently supports the following authentication methods:

  • Microsoft Authenticator – push notifications, one-time codes, and passwordless phone sign-in
  • Passkeys – stored in Microsoft Authenticator, a FIDO2 security key, or Windows Hello for Business

✅ Scenario 1: You Still Have Access to a Trusted Device (Recommended)

Steps to Transfer Microsoft Authenticator

1. Confirm Cloud Backup on Old Device

  • Open Microsoft Authenticator

  • Go to Settings > Backup
  • Ensure Cloud Backup is on (automatic by default — no personal Microsoft account needed)

2. Restore on New Device

  • Install Microsoft Authenticator (App Store / Google Play)
  • Open → Tap Restore from backup (welcome screen — do not sign in normally) on your new device
  • Your work account name appears with red text: “Sign in” or “Action required”
       → No codes, no push, no passwordless yet

3. Verify & Fully Activate the Account (All in One In-App Flow)

  • Tap Sign in next to your work account
  • Enter your work password

  • Approve the verification from one of your existing trusted methods:

          Push notification on your old device → Approve

          Passwordless sign-in → Approve

          Passkey in Authenticator → Use

          Hardware security key (YubiKey) → Tap

  • Push notifications and codes are now active on the new device
  • If you previously had passwordless phone sign-in or passkeys in Authenticator, the app automatically continues and walks you through re-enabling them on the new device — no additional approval needed
  • When the flow finishes:
    • Push, codes, passwordless, and Authenticator-bound passkeys are all fully working on the new device

4. (Optional) Clean Up Old Device Registration

  • If desired, go to aka.ms/security-info or aka.ms/mfasetup
  • Delete the old device
  • Only now wipe or recycle the trusted device

⚠️ Removing an active device too soon will break existing logins. Only delete it after confirming your new device works.

🚫 Scenario 2: You No Longer Have a Trusted Device

If you can’t approve sign-in from an old phone or key:

  1. Contact the SMU's IT Help Desk:

  2. Provide your SMU ID number or NetID so we can verify your identity

They can:

  • Re-require MFA registration (admin clears old methods in Entra ID)
      → You set up Authenticator fresh (app will auto-guide through passwordless/passkey if previously enabled)
  • Generate a TAP (future) – one-time code to sign in and re-register

🧠 Prevention Tips

  • Always keep two or more authentication methods set up — for example:

    • Authenticator app + Windows Hello
    • Authenticator app on two devices
    • Authenticator + hardware key
  • Never delete the Authenticator app or wipe a device before confirming another sign-in method is active.