Microsoft Authenticator might exclude GrapheneOS in the future due to root detection

Microsoft recently updated its policies for Microsoft Authenticator, and GrapheneOS could be affected by this heavily. Since February, the app has been actively checking whether the phone is rooted. If root is detected, it’ll block access and also delete the stored credentials. It’s a phased rollout at the moment, so it won’t impact everyone.

The detection uses the Google Play Integrity API; since GrapheneOS is a custom OS, it ‘fails’ the integrity test. However, GrapheneOS is not rooted out of the box, and the new policies still affect it. According to Heise News, a Microsoft spokesperson directly stated that Microsoft Authenticator is not officially supported on GrapheneOS, and that it may impact devices in the future.

Microsoft wants to prevent the use of its authenticator app on phones that are rooted, since they assume rooted devices are less secure. Using Google Play Integrity as a measure of security counts GrapheneOS out, despite the OS being highly private and secure in several ways. Android hardware attestation is a better way of checking the security of a device, since it can whitelist GrapheneOS phones.

Since it’s a phased rollout, users begin receiving warning messages at first. Eventually, it’ll block new account setups entirely. The final phase is in July 2026, where it’ll also wipe all existing credentials. This has serious consequences, since people will lose access to their work credentials.

Ironically, GrapheneOS is one of the most private and secure systems because Google apps don’t even run directly, and a sandboxed version runs instead. Organizations eventually may be forced to allow alternative authenticator apps.

Some reliable alternatives are Google Authenticator or Aegies, and you can switch to those, unless your organization mandates Microsoft Authenticator.

Conversely, Motorola has announced a long-term partnership with GrapheneOS at MWC 2026. It’s counterintuitive for Microsoft to claim this shift in policy is for security reasons, and then block out one of the most secure operating systems with a lot of privacy features. Several people are understandably frustrated, and I hope Microsoft reverses this decision and whitelists GrapheneOS.

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.