← Back
(Updated) Microsoft Authenticator app: Upcoming changes to jailbreak and root detection
MC1179154 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
False
Last modified
2025-11-11 20:33:49
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
2026-02-01 00:00:00
Services
Microsoft Entra
Tags
Updated message, Feature update, User impact, Admin impact
Master tags
Security
Roadmap IDs

One-line summary

Starting February 2026, Microsoft Authenticator will block and wipe Entra credentials on jailbroken/rooted iOS and Android devices to enhance security; no admin action is needed.

Similar updates

More like this
MC1184994 (Updated) Microsoft Teams frontline BYOD onboarding wizard
... January) and is and expected to complete by end of February 2026 (previously end of January) [How this affects your organization:] Who is affected:  Frontline workers setting up Microsoft Teams on personal Android or iOS devices What will happen: A new onboarding wizard will be available via web, optimized for desktop kiosks or shared PCs .
MC1024404 (Updated) Microsoft Entra: Browser access will be enabled by default for all Android users
(Updated) Microsoft Entra: Browser access will be enabled by default for all Android users Microsoft Entra ID device registration for Android will become hardware-bound, retiring the Enable Browser Access feature in Authenticator and Company Portal apps; change is automatic. Updated July 24, 2025: We have updated the timeline. The Enable Browser.
MC1097225 (Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview)
(Updated) Entra ID: Upcoming changes to support passkey profiles in the authentication methods policy (preview) Entra ID expands passkey policy in November 2025 public preview, enabling group-based passkey controls, new API schema, and broader attestation support for FIDO2/passkey providers. ...sing the following attestation statements: “none” .
MC1191924 Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection
Microsoft Entra ID: Enhance protection of the authentication experience by blocking external script injection Microsoft Entra sign-in pages will enforce a stricter Content Security Policy in October 2026, blocking non-Microsoft scripts and injected code to enhance protection against XSS threats. Introduction As part of Microsoft’s Secure Future.
MC1088732 Microsoft Teams: Important updates for Android-based Teams devices – Authentication changes coming soon
Microsoft Teams: Important updates for Android-based Teams devices – Authentication changes coming soon Teams Android devices must update to specified app versions for modern Entra ID authentication by Dec 31, 2025, or risk service disruption; enhanced security features will be enabled. If your organization does not manage one or more certified.
MC1193408 (Update)Action Required: Trust DigiCert Global Root G2 Certificate Authority for using Entra services by January 7, 2026
(Update)Action Required: Trust DigiCert Global Root G2 Certificate Authority for using Entra services by January 7, 2026 By January 7, 2026, Microsoft Entra will switch from DigiCert Global Root G1 to G2 certificates. Organizations must trust the DigiCert G2 root CA to avoid authentication failures with Entra services. Remove any pinning. Updated.

Details

Summary
Starting February 2026, Microsoft Authenticator will detect jailbroken/rooted devices on iOS and Android, blocking and eventually wiping Entra credentials on such devices in a phased rollout through April 2026. This security feature is automatic, affects only compromised devices, and requires no admin configuration.

Body (from Message Center)

Updated November 11, 2025: We have updated the content and the images below. Thank you for your patience.

[Introduction]

Starting February 2026, we will introduce jailbreak and root detection for Entra credentials in the Microsoft Authenticator app on both iOS and Android platforms. This change enhances security by preventing Entra credentials from functioning on jailbroken/rooted devices. All existing Entra credentials on jailbroken or rooted devices will be wiped to protect your organization. This capability is secure by default and does not require any admin configuration or control.

[When this will happen] 

General Availability (Worldwide) rollout begins in February 2026 and is expected to complete in April 2026.

[How this affects your organization]

Who is affected: All users of Microsoft Authenticator on iOS and Android whose Entra credentials are registered on jailbroken or rooted device. This is going to be a continuous check.

What will happen:

  • The feature is secure by default and enabled to all customers. There is no opt-out capability..
  • Users on jailbroken or rooted devices will experience the following phased rollout. An estimated gap between 3 phases is ~ 1 month.
    • Phase 1 – Warning Mode: Users receive a warning that their device is jailbroken or rooted and will be blocked in the future (screenshots 1-4): 

      • user settings

      user settings

      user settings

      user settings

    • Phase 2 – Blocking Mode: Users are blocked from registering Entra credentials or signing in via Authenticator (screenshots 5-8):

      • user settings

      user settings

      user settings

      user settings

    • Phase 3 – Wipe Mode: Existing Entra credentials are wiped from jailbroken or rooted devices (screenshots 9-11):

      • user settings

      user settings

      user settings

  • Users on non-Jailbroken or non-rooted devices will not be affected.

[What you can do to prepare]

  • Notify users about this upcoming change. Users will see error messages or banners in the Authenticator app during warning or blocking phases. These screens are dismissible but indicate the device status.
  • Communicate to helpdesk staff that Authenticator will become unusable for Entra accounts on jailbroken or rooted devices.
  • Update internal documentation if you reference Authenticator usage.
  • No admin action is required to enable or configure this feature.

Learn more: About Microsoft Authenticator | Microsoft Support

[Compliance considerations]

No compliance considerations identified, review as appropriate for your organization.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": "2026-02-01T00:00:00Z",
    "ai_actions": [
      "Notify users about upcoming enforcement",
      "Update helpdesk and documentation"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Starting February 2026, Microsoft Authenticator will block and wipe Entra credentials on jailbroken/rooted iOS and Android devices to enhance security; no admin action is needed.",
    "ai_topics": [
      "Entra",
      "Authenticator"
    ],
    "category": "planForChange",
    "details_map": {
      "Summary": "Starting February 2026, Microsoft Authenticator will detect jailbroken/rooted devices on iOS and Android, blocking and eventually wiping Entra credentials on such devices in a phased rollout through April 2026. This security feature is automatic, affects only compromised devices, and requires no admin configuration."
    },
    "id": "MC1179154",
    "importance": 5,
    "is_major_change": false,
    "last_modified": "2025-11-11T20:33:49Z",
    "ms_products": [
      "Entra"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Entra"
    ],
    "severity": "normal",
    "tags": [
      "Updated message",
      "Feature update",
      "User impact",
      "Admin impact"
    ],
    "title": "(Updated) Microsoft Authenticator app: Upcoming changes to jailbreak and root detection"
  }
}