Over the last week I have had a number of issues with authentication and particularly ensuring that we have all our clients using MFA for Microsoft. Which lead to the title of this post with Updating Logins with Microsoft Authenticator.
In my role as a client-facing systems administrator I have a lot of Microsoft accounts for various testing scenarios and administration functions. Using Microsoft Authenticator on my mobile as a primary 2-factor/multi-factor (2FA or MFA) tool is an obvious solution.
During a session of checking documentation and validating account access I had a need to update a number of logins. As a result of logging into Microsoft around 20 times I have found that the quickest and easiest method to check or update any of the account information is with this link https://mysignins.microsoft.com/.
What happens with that link ? First up it redirects to a https://login.microsoftonline.com/ OAuth2 URL and prompts for your login email or phone number.
Enter an email address and select Next.
Using the existing strong (long) passphrase. Yes, passphrase rather than password. We wrote a post on that topic many years ago and have updated it recently.
After selecting Sign In the MFA login screen is shown, assuming you already had MFA configured. In my case I was unable to access some of these accounts via Authenticator due to swapping phones and having another phone break-down in the last 6 months.
Selecting in this case either to use the Authenticator, or an alternative method “Can’t use authenticator now” provides for a second confirmation of my identity.
Using an alternative method assumes that you had originally configured other options like an email address or a phone number that can receive text messages.
The “Don’t ask again for 180 days” option is not guaranteed. I have not confirmed it, but I am sure it is just a cookie in the browser and if you use different browsers for various tasks then the 180 days only applies on that computer or device and only for that web browser. Use another device or another web browser and you will be prompted again, potentially just 5 minutes later!
So now that we are logged in, we are automatically re-routed back to the URL we stated with which is https://mysignins.microsoft.com. Which looks like this with multiple panels and options.
I’ll leave most of the options for another post and the one I needed to use today was the Security Info section.
From here the process is fairly straight-forward. Select the + Add sign-in method, add a new phone, or Authenticator App, or email address for multi-factor authentication. Select the Default sign-in method, which I have set as Microsoft Authenticator. Its generally quick an simple, while an email takes a bit longer and requires copy/paste of a code or similar.
Removal of an old authentication method, like my now-dead iphone 4, is as simple as hitting the Delete option.
Another useful screen is the Organisations panel which helps when you have more than one organisation that you deal with.
The only obvious thought here is that the Home organisation may change for some people and I am not sure what happens if you leave an organisation but have it as your Home? I will look at that another day.