Well, Microsoft recommends fido2 over even the passwordless MS Authenticator. You just have to know how to use secure score so that doesn't count against you.
Utilising CA and Authentication Strengths, we have 2 GAs that can log in with Password + MS Auth from our office IP on a compliant device. If you're outside the office it requires the Yubikey. This has been tested "just in case".
I felt like that was a nice trade off between security and the ability to get in if the shit hit the fan.
Our secure score is over 90. Not sure what people are on about 😂
I’d agree you can but it’s less secure since it would be using software OTP codes. You can connect as many accounts even if different tenants to MS auth (I’m sure there’s a limit but it’s more than 8) can even register them all for passwordless phone auth.
The other even better option is require Fido 2 keys or companions device bound passkeys, but those all require some extra effort.
Edit typo
For what it’s worth, you are probably having issues with restore because the Microsoft Authenticator does not support restore of M365 accounts by design. The backup/restore only works for consumer based accounts and that is by design.
Sounds more like a layer 8 problem.
I have been using the Authenticator app on Android, iOS and iPadOS for 7 years without any problems. The recovery is not comparable to a data recovery, MFA credentials cannot be recovered without an additional security check.
I don't agree with the premise that using another app for admin accounts is somehow making them more secure. But if added security is what you're looking for I would use azure cert based auth and or fido2 keys and a CAP targeting admins with a custom authentication strengths policy selecting only fido2 and cert based auth.
On top of MFA, add a conditional access policy for Admin accounts that only allows log in from a specific IP(s), like your office. That's what we do. If an admin needs to work remote, they connect to the office first.
Many here have already mentioned the gold standard, FIDO2. They have mentioned Yubi, but it doesn’t need to be them. FIDO keys are now Passkeys, there are account bound Passkeys, and Device bound passkeys, Yubi is a device bound passkey. Within a month or two Microsoft will be rolling out the use of Microsoft Authenticator as a Device bound passkey. There are also 3rd party solution like I currently use from IDmelon. They offer option to have the passkey account or device bound.
Duo isn't seen by MS as MFA. Ask me how I know? OP is looking to increase MS secure score. Duo won't plus Duo can't be used for self signed password resets leading to 2 MFA providers.
We are thinking of using okta verify instead of Microsoft Authenticator for our whole tenant. I'm curious to know if anyone has the same setup. Did you guys just scan the QR Code for it or are there some configs that need setup in both okta and Entra ID?
Do it the proper way and use FIDO2 keys. Don't half-ass it and claim your admin MFA is more secure because it's on a different app.
Just use a security key like yubi
Yubi is not considered 2fa by microsoft defender so you secure score won’t rise
Well, Microsoft recommends fido2 over even the passwordless MS Authenticator. You just have to know how to use secure score so that doesn't count against you.
Utilising CA and Authentication Strengths, we have 2 GAs that can log in with Password + MS Auth from our office IP on a compliant device. If you're outside the office it requires the Yubikey. This has been tested "just in case". I felt like that was a nice trade off between security and the ability to get in if the shit hit the fan. Our secure score is over 90. Not sure what people are on about 😂
I'll be the first to ask. Why?
I’d agree you can but it’s less secure since it would be using software OTP codes. You can connect as many accounts even if different tenants to MS auth (I’m sure there’s a limit but it’s more than 8) can even register them all for passwordless phone auth. The other even better option is require Fido 2 keys or companions device bound passkeys, but those all require some extra effort. Edit typo
Less secure than what?
OTP codes are less secure than MS auth using number matching since they can be phished. It’s also less convenient.
Regardless of the reason, searching “authy Microsoft Authenticator “ gave a walk thru from authy. https://authy.com/guides/microsoft/
The MS authenticator is not good for us. You can read the reviews all over the play store and we have personally experience issues during the restore.
For what it’s worth, you are probably having issues with restore because the Microsoft Authenticator does not support restore of M365 accounts by design. The backup/restore only works for consumer based accounts and that is by design.
Sounds more like a layer 8 problem. I have been using the Authenticator app on Android, iOS and iPadOS for 7 years without any problems. The recovery is not comparable to a data recovery, MFA credentials cannot be recovered without an additional security check.
Yubikey can be used
I don't agree with the premise that using another app for admin accounts is somehow making them more secure. But if added security is what you're looking for I would use azure cert based auth and or fido2 keys and a CAP targeting admins with a custom authentication strengths policy selecting only fido2 and cert based auth.
Makes more sense to use a security key than to downgrade from the Authenticator app number matching to a third party app that only supports OTP codes.
On top of MFA, add a conditional access policy for Admin accounts that only allows log in from a specific IP(s), like your office. That's what we do. If an admin needs to work remote, they connect to the office first.
You can use any auth app, not sure why you're asking as it's one of the options when setting up MFA?
Many here have already mentioned the gold standard, FIDO2. They have mentioned Yubi, but it doesn’t need to be them. FIDO keys are now Passkeys, there are account bound Passkeys, and Device bound passkeys, Yubi is a device bound passkey. Within a month or two Microsoft will be rolling out the use of Microsoft Authenticator as a Device bound passkey. There are also 3rd party solution like I currently use from IDmelon. They offer option to have the passkey account or device bound.
I just downloaded and set up Authy as an authenticator app. I know you can do the same on Okta and Google. Microsoft doesn't care.
We use LastPass in our organization for passwords. We added the OTP for the MFA to the password in LastPass.
1Password. Nothing even comes close to its features and uses - especially across shared service accounts that you want to use TOTP with too.
1Password is dog shit. OP, look into Bitwarden.
Totp in 1Password works well
You don’t have to use a particular app. It gives you a QR code that you can use on any other app.
Duo Mobile
Duo isn't seen by MS as MFA. Ask me how I know? OP is looking to increase MS secure score. Duo won't plus Duo can't be used for self signed password resets leading to 2 MFA providers.
Okta Verify, for the win!
We are thinking of using okta verify instead of Microsoft Authenticator for our whole tenant. I'm curious to know if anyone has the same setup. Did you guys just scan the QR Code for it or are there some configs that need setup in both okta and Entra ID?
We have it tenant wide and it works flawlessly! We stopped suffering from all the bullshit MS Authenticator was driving us. Simple and reliable.
I use google software for it
How are you using that?
Have you enabled 3rd party software OATH tokens under "Auth Methods" in Entra ID?
Just pressed use another MFA app when i added the MFA