💡 Our Technical Review in summary
- Microsoft is introducing mandatory jailbreak and root detection for Entra ID credentials within the Microsoft Authenticator app on both iOS and Android.
- The rollout is scheduled to begin in late February 2026 and will be fully completed by June 2026.
- This is a “secure by default” update; it will be automatically enabled for all organizations, and there is no option for administrators to opt-out or disable the detection.
- The enforcement is designed to prevent compromised devices from hosting sensitive Entra ID credentials, thereby reducing the risk of credential theft.
#### Impact
- Phased Enforcement: The transition will occur in three distinct phases, with approximately one month between each:
- Phase 1 (Warning): Impacted users receive dismissible notifications that their device status is non-compliant.
- Phase 2 (Blocking): Users are prevented from registering new Entra credentials or signing in via the Authenticator app.
- Phase 3 (Wipe): All existing Entra credentials are automatically removed from the jailbroken or rooted device.
- Timeline: iOS rollout starts late February 2026 (completing in May); Android rollout starts March 2026 (completing in June).
- User Experience: Only users with modified (jailbroken/rooted) devices are affected. Users on standard, unmodified operating systems will experience no change in functionality.
- Credential Loss: In the final phase, any Entra ID account stored in Authenticator on a compromised device will be deleted, requiring the user to move to a supported device to regain access.
#### Action Required
- User Communication: Proactively notify users that Microsoft Authenticator will soon stop functioning on jailbroken or rooted devices. Advise them to move their Entra ID accounts to standard devices to avoid lockout.
- Helpdesk Training: Brief support staff on the upcoming change. Ensure they can identify the warning and blocking screenshots so they can explain to users why their access has been revoked.
- Update Documentation: Review and update internal IT policies, specifically BYOD (Bring Your Own Device) and Multi-Factor Authentication (MFA) guides, to reflect that modified devices are no longer supported.
- Policy Review: While no admin configuration is required in the Entra portal, admins should review their existing Conditional Access policies to ensure alternative authentication methods are available for users who may need to transition to a new device.
Microsoft Official Update
Service: N/A
Category: planForChange
Severity: normal
Updated January 22, 2026: We have updated the timeline. Thank you for your patience.
[Introduction]
Starting end of February 2026, we will introduce jailbreak and root detection for Entra credentials in the Microsoft Authenticator app on both iOS and Android platforms. This change enhances security by preventing Entra credentials from functioning on jailbroken/rooted devices. All existing Entra credentials on jailbroken or rooted devices will be wiped to protect your organization. This capability is secure by default and does not require any admin configuration or control.
[When this will happen]
General Availability (Worldwide iOS) rollout begins in end of February 2026 and is expected to complete in May 2026 (previously April).
General Availability (Worldwide Android) rollout begins in March 2026 (previously February) and is expected to complete in June 2026 (previously April).
[How this affects your organization]
Who is affected: All users of Microsoft Authenticator on iOS and Android whose Entra credentials are registered on jailbroken or rooted device. This is going to be a continuous check.
What will happen:
- The feature is secure by default and enabled to all customers. There is no opt-out capability..
- Users on jailbroken or rooted devices will experience the following phased rollout. An estimated gap between 3 phases is ~ 1 month.
- Phase 1 – Warning Mode: Users receive a warning that their device is jailbroken or rooted and will be blocked in the future (screenshots 1-4):
- Phase 2 – Blocking Mode: Users are blocked from registering Entra credentials or signing in via Authenticator (screenshots 5-8):
- Phase 3 – Wipe Mode: Existing Entra credentials are wiped from jailbroken or rooted devices (screenshots 9-11):
- Users on non-Jailbroken or non-rooted devices will not be affected.
[What you can do to prepare]
- Notify users about this upcoming change. Users will see error messages or banners in the Authenticator app during warning or blocking phases. These screens are dismissible but indicate the device status.
- Communicate to helpdesk staff that Authenticator will become unusable for Entra accounts on jailbroken or rooted devices.
- Update internal documentation if you reference Authenticator usage.
- No admin action is required to enable or configure this feature.
Learn more: About Microsoft Authenticator | Microsoft Support
[Compliance considerations]
No compliance considerations identified, review as appropriate for your organization.
