How to Transfer Microsoft Authenticator to a New Phone
Switching to a new phone is exciting — until you realize your two-factor authentication codes didn't come with it. Microsoft Authenticator doesn't transfer like your photos or contacts. Understanding exactly why, and what your options are, saves you from getting locked out of your accounts.
Why Microsoft Authenticator Doesn't Transfer Automatically
Microsoft Authenticator stores time-based one-time passwords (TOTP) and account credentials locally on your device. This is intentional. The security model behind authenticator apps assumes that the secrets used to generate codes never leave your device unencrypted — that's what makes them more secure than SMS codes.
When you get a new phone, those secrets don't automatically migrate. The app can be reinstalled, but the accounts inside it need to be re-linked or restored through a specific process. How smooth that process is depends heavily on your account types and whether you planned ahead.
The Two Main Transfer Scenarios
Microsoft Personal and Work Accounts (Backed Up Through the App)
For Microsoft accounts (personal, work, or school accounts managed through Microsoft's own systems), Authenticator has a built-in cloud backup feature. When enabled, the app encrypts your account credentials and syncs them to your Microsoft account.
To use this:
- On your old phone, open Microsoft Authenticator → Settings → enable iCloud backup (iOS) or Cloud backup (Android)
- On your new phone, install Microsoft Authenticator, sign in with the same Microsoft account, and choose to restore from backup during setup
This is the cleanest path — when it works. It works reliably for personal Microsoft accounts. Work and school accounts managed by an organization (via Azure Active Directory / Entra ID) may not fully restore this way, depending on how your IT department has configured things.
Third-Party Accounts (Gmail, Facebook, Banks, etc.)
This is where most people run into friction. Third-party accounts — anything you added to Authenticator by scanning a QR code — store a shared secret between the site and your device. That secret isn't backed up the same way.
For these accounts, your options are:
| Approach | What It Requires | Works Without Old Phone? |
|---|---|---|
| Disable and re-enable 2FA on each site | Access to the account via another method | Yes, if you can log in |
| Use backup codes saved at setup | Having saved them previously | Yes |
| Scan new QR codes from each service | Access to account settings | Yes |
| Transfer via old phone still in hand | Old phone functional and accessible | Yes |
If your old phone is still working, the smoothest approach is to set up the new phone while keeping the old one active, re-scan QR codes from each service's security settings, then remove the old entries afterward.
What the Transfer Process Actually Looks Like 📱
If You Have Your Old Phone
- On each account's website or app, go to Security → Two-Factor Authentication → Manage authenticator app
- Request a new QR code (most services allow multiple authenticators simultaneously)
- Scan it with Microsoft Authenticator on your new phone
- Verify the new codes work before removing the old device
If You No Longer Have Your Old Phone
This path is harder. Your options depend on what fallbacks you set up:
- Backup codes — Most services give you a set of single-use recovery codes when you first enable 2FA. If you saved these, use one to log in, then reset your authenticator.
- Backup email or phone number — Many services allow fallback verification via SMS or email, which you can use to access the account and reconfigure 2FA.
- Account recovery — For accounts with no fallback, you'll need to go through the service's identity verification process. This varies significantly by provider and can take hours or days.
Factors That Affect How Smooth the Transfer Is 🔐
Not everyone's experience will be the same. Several variables determine how easy or complicated this gets:
- How many accounts you have in Authenticator — a handful of personal accounts is manageable; dozens of work and personal accounts across services is a different challenge
- Whether your old phone is accessible — having both phones during the switch changes everything
- Whether you're on iOS or Android — backup behavior differs between platforms; iCloud backup is used on iOS, while Android uses Google account backup infrastructure
- Organizational vs. personal accounts — IT-managed work accounts may require your company's IT team to re-enroll your device
- Whether you saved backup codes — this single factor often determines whether a locked-out situation takes five minutes or five days to resolve
- Account-by-account policies — some financial institutions and enterprise tools have stricter re-enrollment processes than consumer services
The Accounts Most Likely to Cause Problems
Work or school accounts on managed devices are the most unpredictable category. If your employer uses conditional access policies or requires device enrollment through Microsoft Intune or a similar MDM platform, simply restoring from backup may not be enough. Your IT administrator may need to re-approve or re-enroll the new device.
Financial services and government accounts often have stricter identity verification requirements and may not support standard TOTP transfer — they may issue hardware tokens or require in-person verification to re-enroll.
Consumer accounts — social media, email, streaming services — are generally the easiest to re-link because they support standard TOTP and usually offer multiple fallback options.
A Note on Preparation
The single biggest factor separating a five-minute transfer from a multi-day recovery process is whether you saved your backup codes and enabled cloud backup before switching phones. Most people discover this only after the fact.
The mix of account types in your Authenticator app, the policies of each individual service, and whether your old device is still available all shape what "transferring Microsoft Authenticator" actually means for your specific situation.