Microsoft is removing Entra credentials for school and work from jailbroken and rooted devices running iOS and Android.
The process is automatic and there is no opt-out. If Microsoft Authenticator detects that a device has been jailbroken or rooted, it will first display a warning, then block access, and finally wipe credentials. The procedure is already underway for Android devices, and iOS devices will follow in April 2026.
If all goes to plan, Microsoft will complete the process by July 2026. The app will warn, block, and wipe data “during any interactive operation that involves a work or school account in Microsoft Authenticator.”
There is an argument that an employer should provide employees with suitably locked-down devices anyway, and a jailbroken or rooted device might allow apps to cause all sorts of mischief that could bypass Microsoft’s security controls and cause multi-factor authentication (MFA) headaches.
However, there are also good reasons to use a device – particularly an Android – that qualifies as jailbroken or rooted. There is plenty of software that only works on devices no longer solely part of a given vendor’s ecosystem, although it is important to understand the risks involved.
Microsoft did not detail what checks take place, and other mobile operating systems, such as GrapheneOS, may also face restrictions. Microsoft did not respond to our questions, other than confirming the receipt of The Register’s query.
After receiving the warning, one user remarked: “Disabling the hardened memory allocator for the app got rid of it having an issue with the device.”
Microsoft first warned customers last year that the Authocalypse was coming for jailbroken or rooted devices. In response to a post reminding users that the effort was underway, another observer said: “So, the quickest way to clean up tens of M365 accounts that were ‘restored’ to a new phone (and completely broken) would actually be to root my Pixel?”
Perhaps not quite what Microsoft had in mind. ®