Microsoft Authenticator issue

jroddev

I'm currently getting this error setting up an account in Microsoft Authenticator
"Google Play Services is not currently available on this device. Some features will be unavailable".

I have Frameworks and Services installed from the GrapheneOS App Store. Both have network permission and unrestricted battery setting.

I unfortunately can't switch to another authenticator as my company uses the popup request prompt instead of TOTP.

Does anybody have this working on GrapheneOS or know something I can try?
I'm on Pixel 7.

o31f7

Install the play store as well.

jroddev

Installed the Play Store and it works now. Thanks!

jroddev

Also for anyone else who comes across this. I did not need to reinstall authenticator from the Play Store.
After I installed the Play Store my Aurora Store installed Authenticator just started working.

Three1989

jroddev

What did you do, to install Play Store?

It's not in Aurora Store.

Three1989

jroddev

Nevermind. I found it.

FYI to anyone noobing their way through Microsoft Authenticator install, and HAS NOT already set up sandboxed Google Play Services, read on.

Perhaps this is due to (1) egregious encroachment from one's employer re: mandatory apps required on a personal/non-provided device, which (2) must meet MS's requirements for Authenticator (no old devices, you see), so that (3) we can pay our post-tax earnings to purchase a device which helps us plead for the Byzantine plutocracy to accept our pitiful 'biometric identity' (4) so that they'll present the corporate teat that allows us to consume (5).... but i digress

In the end, I acquiesced, and decided to split my phone's personality by adding a new User/Profile. Graphene/Daniel, you have earned my donation, this is a great feature.

Here's what I did:

create a new profile, for ONLY work / MS Authenticator --- (Settings / System / Multiple Users / Add User)
when setting up new User, allow your app store (Aurora Store, in my case) to be installed in the new Work profile you're creating.
go into the Work profile, set up how you prefer (navigation, defaults, etc),
in your app store (Aurora for me), download and Install Microsoft Authenticator
After installing MS Authenticator, pull/slide up the app tray, where all apps are visible
click on the "Apps" app (black and white 3d box)
within, click on Google Play, and Install
pay attention to the Notifications - there are about 16 ways that Play doesn't like what you're doing (more proof of concept for GOS) - and solve the hurdles one by one
After Play is installed in your Work Profile, go into Authenticator and follow your steps for registration/setup/login

Relaks

In sum: one can create a separate profile with Sandboxed Google Play, and, as long as M. Authenticator detects the presence of Play Store, it works fine.

freezet

My Aegis also has Microsoft no Play Service required, but maybe its something differerent

Rennnat

I've got to use Microsoft Authenticator for work, and I can sign in with it, but the sign in gets "blocked" saying: "We are currently unable to collect additional security information. Your organization requires this information to be set from specific locations or devices."
I've followed the previous poster for installing Play Services and such, but haven't been able to get it to work. I've got Google's location accuracy turn on and have given MS Auth all permissions before opening it for the first time.

Some of the troubleshooting details show that MS Auth isn't able to get a device identifier (Not available) or device state (unregistered).

My best hypothesis is my sign in is being blocked because it can't get a device identifier.

Any ideas?

Cellloh

I ran into the same problem and having Play Store installed did not fix the issue. However, after a reboot and starting the Play Store once, Microsoft Authenticator works like a charm with push notifications. (Probably one of reboot or launching the Play Store once is enough, but obviously, it's not easy now to verify which.)

05moa

When you have sandboxed Google play in the profile and the playstore along with Aurora in the profile do you have to sign into the playstore for it to work?

DeletedUser237

05moa no, it just needs to be installed.

user2025

Hello lads,

This Authenticator is the last piece that prevents me from being full GOS usage user.

Ive installed MS Authenticator in the work profile,along with all M365 apps ...and,without any Google Stuff.

It works somehow but need to do a restore, as i have near 100 accounts in the other soon to be replaced device. It takes the restore account,it prompts other phone to confirm the MFA validation but then after few seconds, restore fails due to "no internet access,check connectivity"...but network works all fine.

Do i really need GOOGLE stuff to enable MICROSOFT stuff !!???

Arghhh...
Thanks for any help.

fid03

user2025 Do i really need GOOGLE stuff to enable MICROSOFT stuff !!???

Please see the previous replies in this thread. Microsoft made Microsoft Authenticator dependant on Play services, so you need to install sandboxed Google Play for Microsoft Authenticator to fully work.

user2025

Done that.
It detected that the software version is not from the Play Store and i had to remove & reinstall.

It fails to connect / restore the cloud backup from the other phone,which works fine.
Same error that no connectivity to Internet.

Tried succesfully to add new accounts and got notification and confirmed worked but not the backup/restore process.
Is not difficult to add an extra device in M365 portal but other websites doesnt support two MFA codes devices,so not sure how that can be worked around it.

Hmmmm...could be something else and not GOS.

Thanks.

Oggyo

Looks like MS Auth. may soon stop working on GrapheneOS as faulty determines it as rooted.

Source - M365 admin center.

Summary
Starting February 2026, Microsoft Authenticator will detect jailbroken/rooted devices on iOS and Android, blocking and eventually wiping Entra credentials on such devices in a phased rollout through April 2026. This security feature is automatic, affects only compromised devices, and requires no admin configuration.

Phase 1 – Warning Mode: Users receive a warning that their device is jailbroken or rooted and will be blocked in the future

Phase 2 – Blocking Mode: Users are blocked from registering Entra credentials or signing in via Authenticator

Phase 3 – Wipe Mode: Existing Entra credentials are wiped from jailbroken or rooted devices

de0u

Oggyo Security... or security theater?

Stephan-P

Oggyo deeply worrying if true. What can users do in advance to bypass this, preventing the projected disastrous outcome? Remove all MSAuth based authentication codes and replace them with e.g. Aegis ones?

Stephan-P

Created a separate thread for this latest twist