Microsoft Entra: Improved Backup and Restore Experience for the Authenticator App on iOS

🚨 The Signal: Microsoft Authenticator on iOS now backs up account names and TOTP credentials to iCloud/Keychain. This improves recovery for users but requires careful management of iCloud security and device trust.

The Impact

End-users are affected by improved recovery, but security teams must assess iCloud backup risks to MFA credentials.

• End-users: Easier recovery of MFA accounts on new devices.
• Security Teams: New vector for MFA credential backup requires policy review.
• Identity Teams: Potential reduction in MFA lockout support requests.
• Compliance Teams: Review of data residency and encryption for iCloud backups.

The Action

1. Review existing mobile device security policies regarding iCloud backup of sensitive application data.
2. Communicate to users the importance of securing their Apple ID and iCloud account.
3. Consider conditional access policies that restrict device platforms or require compliant devices for MFA registration.
4. Evaluate the use of Microsoft Intune to manage iOS device backups and data protection policies.

Domain: Entra · Impact: medium · Workload: Entra ID · Essential Eight: Multi-Factor Authentication, Regular Backups · ISM: ISM-0109, ISM-0123, ISM-0140, ISM-0974, ISM-1173, ISM-1228, ISM-1401, ISM-1504, ISM-1505, ISM-1511, ISM-1515, ISM-1679, ISM-1680, ISM-1681, ISM-1682, ISM-1683, ISM-1705, ISM-1706, ISM-1707, ISM-1708, ISM-1810, ISM-1811, ISM-1812, ISM-1813, ISM-1814, ISM-1815, ISM-1819, ISM-1872, ISM-1873, ISM-1874, ISM-1892, ISM-1893, ISM-1894, ISM-1906, ISM-1907