Refer to this scribe guide if easier to interact with:
Configuring Third-Party OATH TOTP Applications for Multi-Factor Authentication
This guide provides instructions for enabling and configuring third-party authenticator apps (such as Google Authenticator or Authy) as a secondary sign-in method for Microsoft 365 accounts through Entra. This is an alternative for users who prefer not to use the Microsoft Authenticator app.
Target Audience: This document includes both administrative configuration steps (for IT staff) and end-user setup instructions.
Before users can add a third-party app, the Microsoft Entra ID tenant must be configured to allow “Software OATH tokens.”
1. Enable OATH Tokens
- Log in to the Microsoft Entra admin center.
- Navigate to Protection > Authentication methods > Policies.
- Select Software OATH tokens.
- Set the Enable toggle to On.
- In the Target tab, select the appropriate groups or All users.
- Click Save.
2. Resolving “Missing Link” Issues
If users report they cannot see the option for “Different authenticator app,” check the following settings:
- Registration Campaign:
- Navigate to Authentication methods > Registration campaign.
- If state is set to Microsoft Managed, Microsoft may hide other options to force the use of the Microsoft app. Consider just setting to “Enabled” or adding an exclusion for specific users during setup.
- Navigate to Authentication methods > Registration campaign.
- System-preferred MFA:
- Navigate to Authentication methods > Settings.
- If enabled, Entra ID will automatically skip selection screens to prompt for the most secure method found. This is preferred to leave enabled to make sure strongest MFA method is selected, but if it causes issues, switch to “Disabled”
- Navigate to Authentication methods > Settings.