← Back to home

Guide · Authenticator

Microsoft Authenticator passkey setup: step-by-step for iOS and Android

The Microsoft Authenticator app stores passkeys for your work or school account on Microsoft Entra ID. This guide walks through registering one — on iPhone and on Android — and explains the device-bound vs synced choice that often catches users out.

Why a Microsoft Authenticator passkey at all

A passkey stored in Microsoft Authenticator is the cleanest of the mobile options for an Entra ID account. The credential lives in the same app that already handles your push-MFA approvals, so signing in to Microsoft 365, Teams, or any Entra-protected app only ever takes one tap and a fingerprint. There is no second credential vault, no sync to a personal account, and IT can verify exactly where the passkey lives if your tenant requires attestation.

Compared with iCloud Keychain (synced across your Apple devices) or Google Password Manager / Samsung Pass, Authenticator passkeys are device-bound: they live on this specific phone. If you replace the phone, you re-register. For most enterprise rollouts that is a feature, not a limitation.

Before you start

• Authenticator installed and signed in. Install Microsoft Authenticator from the App Store (iOS) or Play Store (Android), open it, and tap Add account → Work or school account. Sign in with your work email — the device must be registered with Authenticator before you try to add a passkey.
• OS up to date. Authenticator passkeys require iOS 17.4 or later, or Android 14 or later. Older versions silently fall back to a security-key prompt that does not work for the workflow described here.
• Tenant policy enabled. Your IT admin needs "Passkey (FIDO2)" enabled in the Entra Authentication methods policy for your account. If you reach step 4 below and the option is greyed out, this is why.

Step-by-step on iPhone

1. Open Safari (not the in-app browser inside Authenticator) and go to aka.ms/mysecurityinfo.
2. Sign in with your work account, completing any existing MFA.
3. Tap Add sign-in method, then choose Passkey.
4. When prompted, tap Use Microsoft Authenticator. iOS may show a credential picker first — pick Microsoft Authenticator, not iCloud Keychain, unless your IT team has told you to use Apple's vault.
5. Authenticator opens. Confirm with Face ID or Touch ID. The app shows a green tick and says "Passkey registered".
6. Back in Safari, the page refreshes to confirm the passkey is now listed under your sign-in methods. You are done.

Step-by-step on Android

On Pixel and most Android devices the steps mirror iPhone. On Samsung Galaxy phones there is one extra setting — see the Samsung Pass + Entra passkeys guide for that detour.

1. Open Chrome and go to aka.ms/mysecurityinfo.
2. Sign in with your work account.
3. Tap Add sign-in method → Passkey.
4. When the OS credential picker appears, tap Microsoft Authenticator. On Galaxy, you may need to choose Authenticator as the default passkey service first — see the linked Samsung guide.
5. Confirm in Authenticator with the device biometric. The app confirms registration.
6. The browser tab updates to show the new passkey under your sign-in methods.

Device-bound vs synced — what to pick

The Authenticator passkey is device-bound. Apple and Google offer synced passkeys via iCloud Keychain and Google Password Manager respectively. The trade-off:

• Authenticator (device-bound). Highest assurance, satisfies attestation requirements, dies with the phone. Re-register when you replace the device. Recommended for managed work devices and any tenant with elevated compliance requirements.
• iCloud Keychain or Google Password Manager (synced). The same passkey is available on every device signed into your Apple ID or Google account. Friendly UX, lower assurance, may be blocked by tenant policy. Reasonable for BYOD general-staff scenarios.

If you do not know which your tenant allows, ask IT — or just pick Authenticator, which is allowed in every passkey-capable tenant.

Common errors and what they mean

• "This sign-in method is not supported by your tenant." Your IT team has not enabled passkey registration in the Authentication methods policy. Contact your helpdesk; this is not something you can resolve on your phone.
• "We couldn't verify your device." The work account in Authenticator is not linked to the device. In Authenticator, tap your work account and run through the device registration prompt before retrying.
• "Authenticator is not installed." The OS credential picker did not see Authenticator. Re-install the app from the official store, sign in once, then retry registration.
• iOS Face ID rejects you twice and the prompt closes. Open Authenticator manually, confirm Face ID works there, then retry the registration.
• QR scanner appears instead of Authenticator. You are on an older OS or older Authenticator build, or you tapped "Security key" instead of "Passkey". Update both, restart the registration, and pick Passkey at the second prompt.

If you manage a fleet, not just your own phone

IT teams running an Entra ID passkey rollout should expect helpdesk volume to spike in the first 48 hours after the announcement, then taper. The two highest-leverage preparations are:

1. Run an internal pilot on real Samsung, Pixel, iPhone, and Windows devices — screenshots from a Pixel will not predict what a Samsung user actually sees.
2. Send the announcement email at a single URL that adapts to the visitor's device, rather than a list of conditional paragraphs the user has to read past their own device. The Entra ID passkey rollout guide covers the comms cadence and the tracking signals worth watching.

Last reviewed 25 April 2026. Microsoft Authenticator's passkey UX has changed materially across 2024-2026; check the Microsoft Learn passkey article for the most current screens before finalising end-user instructions.