How to Use Microsoft Authenticator in China: A Practical Guide

How Microsoft Authenticator is different in China？

• App distribution: Google Play is not the standard channel; many Android users rely on vendor app stores.
• Push notifications: Android push notifications usually depend on Google Mobile Services (Firebase); without them, push notifications can be delayed or fail. iOS push via Apple Push Notification service tends to be more reliable.
• Device variability: Vendor ROMs (Huawei, Xiaomi, OPPO, vivo, Lenovo, Samsung) treat background tasks and notifications differently, affecting the app.
• Tenant settings: If the verification-code method is not enabled in Microsoft Entra ID, one-time passcodes (OTP) cannot be used even if the app is installed.
• Connectivity: Cross-border routing or poor local routes can slow or drop authentication calls.

Known limitations

• Push notifications on Android may be unreliable on many Chinese devices due to missing Google Mobile Services.
• Some vendor app stores may delay app updates or host different package versions.
• Certain advanced features (e.g., some passwordless flows) may require vendor-specific verification and may not behave identically to other regions.

How to use Microsoft Authenticator in China?

1. Install the app

iOS devices

• iOS users download the app directly from the Apple App Store.

Android devices in China

Because the Google Play Store is not available in China, Microsoft Authenticator must be installed from supported local Android app stores. According to Microsoft’s official guidance, the app can be downloaded from these stores in China:

Apart from the three official app stores announced by Microsoft, mainstream app stores such as those of vivo, Xiaomi, and Huawei have also launched Microsoft Authenticator for download (screenshot below). Microsoft notes that these store versions are maintained as up to date as possible, but it is not responsible for versions distributed through other channels.

Alternative ways to install

• If your device does not list the app in its default store, some users may be able to install the app from another supported store on the same phone (for example, Samsung or Lenovo stores).
• Some IT teams distribute the app via corporate device management tools if a device is managed.
• Where app stores do not provide the app, downloading and installing the official APK manually may be attempted; only install packages from trusted and verified sources.

Notes about Android systems in China

• On Android devices in China, push notifications generally do not work for Microsoft Authenticator because the Google Mobile Services framework is not available. Instead, users should rely on one-time passcodes (OTP) shown by the app for authentication.
• Some devices or third-party ROMs may behave differently when installing or running the app. In all cases, using the official store versions listed above gives the best chance of a successful installation.

2. Enroll in an account

• Open the Authenticator app and add a work account by scanning the QR code provided during account setup or by signing in with corporate credentials.
• Complete enrollment to enable one-time passcodes (OTP) and ensure at least one backup method is registered, such as SMS, an alternate email, or a hardware token for high-privilege accounts.
• Android devices may require granting notification or background permissions for OTPs to generate reliably. For guidance on configuring OTP in your organization, see the Microsoft Entra ID docs. 

3 Log in day to day

• On iPhones, push notifications can be used for approval.
• On Android devices, users should rely on the six-digit OTP shown in the app. OTP codes work offline, so a temporary network outage will not block access.
• Device time must remain accurate; enable automatic time sync to prevent OTP failures.

4. If a push notification does not arrive

Troubleshooting quick steps:

• Open Microsoft Authenticator and use the six-digit code shown there to sign in.
• Ensure device time is set to Automatic/Network time.
• Toggle network (Wi-Fi/mobile) or try a different network.
• Reboot the device and try again.

If still failing, JET IT Services can assist with the device model, OS version, and a screenshot of the error.

5. Lost, stolen, or replaced devices

• Report the device to the helpdesk immediately to revoke access and prevent unauthorized logins.
• Use Self-Service Password Reset (SSPR) where available to recover account access.
• For critical accounts, a temporary hardware token can be issued while the replacement device is set up. Learn more about SSPR.

6. Quick tips

• Keep the Authenticator app updated via official stores; avoid third-party APKs.
• Enroll at least one backup authentication method during initial setup.
• Document instructions for your users for each device type, so enrollment and login steps are predictable.
• For organizations with mixed fleets or multiple vendors, IT teams can help create tailored enrollment guides and manage device distribution. See Microsoft 365 services.

For issues with enrollment, managed installs, OTP fallback, or recovery flows, contact us for practical solutions. 

FAQs

1. Is Microsoft Authenticator available in China?

Yes. Microsoft provides guidance for downloading via ios, selected local Android stores and official channels. 

2. Will push work on Android in China?

Often not. Many Android builds in China lack Google Mobile Services, which push relies on. Treat push on Android as optional.

3. Do OTP codes work in China?

Yes. Time-based OTPs work offline and are the most consistent method, provided the Authenticator verification-code method is enabled in Microsoft Entra ID. 

4. Can Authenticator be installed on Huawei or HarmonyOS devices?

Installation and behavior vary by vendor and OS version. If a store is missing, use MDM or an approved signed APK.

5. What should a user do if push never arrives?

Use the code displayed in the app, or a backup method such as SMS or hardware token. Contact the helpdesk if re-enrollment is needed.

6. Is iPhone more reliable for push?

Generally yes. Apple Push Notification service is broadly available, making push more consistent on managed iPhones.

7. What Entra ID settings matter?

Enable the Authenticator verification-code method and ensure conditional access allows fallback methods so users are not forced into unsupported flows. 

8. Are local store apps safe?

Prefer vendor stores, Microsoft lists, or MDM distribution. Avoid unverified third-party APK sites; if side-loading, verify signatures or hashes.

9. Do OTPs work offline or when roaming?

Yes. OTPs are time-based and do not require a network connection, though device clock accuracy matters.

10. What is the recommended fallback for critical accounts?

Combine OTP with a secondary method (SMS, hardware token, or SSPR) and document recovery processes for privileged users.

11. How to handle lost or replaced phones?

Revoke device access via MDM, disable tokens, and re-provision through SSPR or helpdesk checks. Test the flow ahead of time.

12. Can passwordless sign-in work in China?

Some passwordless modes depend on push or platform features that may be inconsistent on Android in China. Validate passwordless flows on the device fleet before wide adoption.