[German]A quick note for people who use the Microsoft Authenticator app on an iPhone or Android device. Microsoft has announced that, as of February 24, 2026, it will first warn and then block EntraID logins on devices with jailbreak (iOS) or root access (Android) and finally delete the data. This change will be implemented gradually and is expected to be completed by mid-2026.
One user had pointed out the upcoming change in this comment. However, I had come across the announcement MC1179154 – Microsoft Authenticator app: Upcoming changes to jailbreak and root detection in the Microsoft 365 Message Center.
Microsoft's announcement is quite clear: From the end of February 2026, the Microsoft Authenticator app will recognize jailbroken devices running iOS and Android devices with root access. The Microsoft Authenticator app will block logins with Entra credentials on such devices.
There will be gradual warnings, then a lockout, and finally a deletion of the login data. This security feature is activated automatically and cannot be disabled. Users of devices without jailbreak/root access are not affected.
- General availability will begin worldwide for Android at the end of February 2026 and is expected to be completed in mid-2026.
- General availability will begin worldwide for iOS in April 2026 (instead of March) and is also expected to be completed in mid-2026.
For both platforms, an extension from April 2026 to mid-2026 has already been planned. Users of devices with jailbreak or root access will experience the rollout in three phases. The estimated interval between the three phases is approximately one month.
Phase 1 – Warning mode: Users simply receive a warning that their device has been jailbroken or rooted and will be blocked in the future (see screenshot above for iOS or screenshot below for Android).
Phase 2 – Lock mode: Users cannot register Entra login details or log in via Authenticator. This is then communicated to the user in corresponding messages, which are documented via screenshot under MC1179154 MC1179154.
Phase 3 – Delete mode: Existing Entra login details are deleted from devices with jailbreak or root access. Here, too, the corresponding messages are documented via screenshot under MC1179154.
Microsoft recommends that the help desk and users be provided with appropriate information. The tenant administrator can specify on the EntraID administrator page whether the Microsoft Authenticator app with the "Microsoft push method" is mandatory for 2FA. If only a time-based one-time password (TOTP) is configured, open-source authenticator apps should also be usable.
