Work is requiring me to install Miscrosoft Authenticator

So i have a fee options and dont know which would be best.

I could install this on an old phone. However, the old phone is a stock OS all my old apps installed. I have NetGuard and Invizible Pro active blocking internet on apps that don’t need it, I’d keep the phone off and in a faraday case when not needed

Alternatively, I could install this on my current phone. A Pixel 6 with GrapheneOS. I’d rather not have it on my current phone because it just feels weird. Though what i would plan on doing is creating a separate profile with just this app installed and all permissions disabled until I need to use said app.

Which option would you consider to be the most private and what would you do in my situation?

Doesn’t matter. What info will it get from your smartphone, since it won’t need any permissions?


Hmm, can’t you just scan the QR code with another authenticator?

I’d probably go for option one. However, that seems to be the most inconvenient one… If you forget that phone, and you need to verify, you are going to curse.


In my personal opinion, I’m not sure how private Microsoft Authenticator is, but if you want something practical and straightforward, I wouldn’t delve too deep into the options you mentioned. You can use Shelter or an app to manage a work profile and install it, or alternatively, use your old phone as you’ve mentioned.

The optimal choice will depend on how much you’ll be using Microsoft Auth for work. If you use it extensively, I would clearly recommend setting it up with a work profile.

Microsoft Authenticator and some others aren’t just plain TOTP apps, they take into account other aspects of the device and the administrator can choose to mandate location be one of them.

While you’re still accessing the protected resource, for the next 24 hours, your location will be shared silently once per hour from the device, so you will not need to get out your phone and manually approve each hour.

You might say: “Oh well my employer already has my home address”, but even then why does Microsoft need it?


Ah yes true, conditional access on Azure can create policies for location based authentication and deny legacy options.

  1. If you need an app for work, they should supply you a phone for work. Maybe try asking for one politely but assertively.
  2. What Ouros said, if it’s just about a TOTP code maybe a different app will do - they all calculate the codes the same way.
  3. If they do more invasive checks like SkewedZeppelin explained, you should really be given a “just for work phone”. Blocking InterNet access or a different profile wouldn’t work for this.

Not really sure if I am a fan of this solution. As when supplied with a work phone they can also probably track you down with the location of that iphone via MDM which also works when the devices is turned off.

So this definitely isn’t a great situation either. Personally I refused a work phone for this reason and I do use Microsoft Authenticator as well but I did disable the internet access after initialization of the app and use the TOTP mode.

And no other TOTP apps do not work. Microsoft uses some strange proprietary exchange of secrets and data communication to activate the app. There is no secret string to import in another app.

1 Like

Can you just claim that your phone broke and that you use a feature phone for now? Will they volunteer for a workphone.

At least with a work phone you can turn it off and put it in a Faraday bag after work.

1 Like

Faraday bag might work. I would rather in that case put it on a device I control. Don’t aee the advantage at all. And you will still need to turn it on when using it. Idk if you work remotely. My emplouer doesn’t need to know where I am working. :man_shrugging:

If they’re requiring you to install software, it should be on their own hardware. They should provide you a phone.

Failing that, can you suggest a hardware TOTP token?


I got asked this and just added the TOTP to another app no problem, MS made it annoying to get the seed, but after that I am not having any of the issues others are describing.

I would at least try it in case they are not enforcing any security rules and just asking for the app because “MS says so”.

1 Like

When my work switched to Microsoft Authenticator for 2FA, I found an option to use a different authenticator and was able to set it up using Aegis. If that’s a possibility for you that seems like the best option to me. Of note, I did have to explicitly choose that option, trying to scan the QR code for the MS app did not work.

1 Like

Unless you agreed for BYOD, your company has to provide you a phone. I assume they are forcing to use MS Authenticator because you can go Passwordless with MS business accounts, and also it is mandatory for Intune and Office app management.

Sure, you can demand a work phone, but you really should not want to. It definitely will not make your life more private.

I highly recommend you to use your own device if you can. It is essential to consider the best approach to safeguarding personal and professional data. Many companies provide their employees with work phones. However, there is a compelling case to be made for using a work authenticator app on your private devices instead. By embracing this alternative, individuals can maintain greater control over their privacy, ensuring that sensitive information remains secure and personal boundaries respected.

  1. Data Ownership and Control: When using a work phone, you give away control over your personal information. The device becomes subject to employer policies, which will likely include monitoring activities, accessing personal data, remote wiping, installing of applications and even network interception. In contrast, using a work authenticator app on a private device allows individuals to retain more control of their personal information. You can for example put in a dedicated profile you can disable and enable as well as blocking the internet, and sensors.

  2. Data Plan and Usage: Work phones usually come with predetermined data plans, leaving employees with limited control over their internet usage. You will therefore share location to a carrier you have no control over. Besides that, this now becomes a business owned subscription, so you might have limited consumer protection and privacy rights.

  3. Location and Tracking Concerns: One of the most significant privacy concerns associated with work phones is the potential for constant location tracking. Employers may need to track the whereabouts of their employees for legitimate reasons, such as ensuring their safety during business travels. However, this constant monitoring can raise concerns about personal privacy and the potential misuse of location data. By opting to work authenticator apps on private devices, individuals can mitigate this risk. You are able to choose when and how their location data is shared, maintaining a sense of autonomy and privacy even during work-related activities.

While work phones may appear to be the default choice for organizations concerned about data security, the use of work authenticator apps on private devices offers a superior approach to protecting privacy for individuals. I really would reconsider whether you want a work phone. Personally, I chose not to use one at all, even though I have the option.


Why would you want to use work authenticator on your private mobile? How can you have greater control over your privacy if your company has access to your phone?

You should use separate phones for work and for private life. That is the best way.

If you mean that people shouldn’t use work phones for private use, yes it is expected and normal way to work.

You are able to choose when and how their location data is shared, maintaining a sense of autonomy and privacy even during work-related activities.

No, you can’t do that if your company installs a device management profile on your phone.

Also, you should separate your work and private life. By not using a work phone you are enabling yourself to be reached by work whenever they want, even though they are not supposed to. When my shift is over, or when I am sick or on vacation, I simply turn off my work phone.

By just putting an app on your own phone, the company does not have access to your entire phone? You can even just put it in a separate user profile. That is no different from using a different phone realistically.

For MDM, the story is quite different, but that’s not what this thread is about. You do not need MDM for Microsoft authenticator.

If it is just a simple TOTP generator, then you are right. It doesn’t require anything else. But, if it is Microsoft Authenticator, it usually requires access to company resources, and thus it installs a device management profile and requires Intune registration for compliance. That is the case for iOS devices.

For Android devices, if you are using Samsung devices there is option to use two device profiles with Knox, which totally separates your apps. Company can only manage with work profile managed by enterprise Knox tool, and your personal profile will be yours only.

I don’t have experience with other Android devices, so can’t comment on them,

No, I am not talking about the TOTP generator. MS Authenticator has its own proprietary shit that unfortunately requires their own spyware app. Still I have never worked for an employer where this did not work without enrolling in an MDM.

Any Android phone has the option to create a work profile. I would highly discourage people from using Samsung phones at all.