A policy update from Microsoft could block GrapheneOS users from accessing their
Entra ID work credentials through Microsoft Authenticator. Raising questions about
how security tools define secure devices.
Root Detection Catches GrapheneOS in Its Net
Since February 2026, Microsoft Authenticator has been actively checking Android devices for
root access. When root is detected, the app blocks access and deletes stored credentials.
GrapheneOS, while not rooted by default, fails the check because Microsoft relies on the
Google Play Integrity API. A tool that does not recognize custom operating systems as
compliant, even security-hardened ones.
Microsoft Confirms No Official Support
In a statement to Heise Security, a Microsoft spokesperson confirmed that Microsoft
Authenticator is not officially supported on GrapheneOS. And that Entra ID accounts may be
impacted on devices detected as rooted. The rollout is phased: users first receive warnings,
then new account setups are blocked. And by July 2026, all existing credentials could be
wiped from affected devices.
A Contradiction Right After the Motorola Partnership
The timing is hard to ignore. Just days before this issue became public, Motorola announced
a long-term partnership with GrapheneOS at MWC 2026. Positioning it as an enterprise and
government-grade security OS. Microsoft is now effectively locking out one of the most secure
Android environments available. Using a verification method that was never built for hardened
custom ROMs.
Options for Affected GrapheneOS Users
Alternatives like Google Authenticator or Aegis can replace Microsoft Authenticator in some
setups. Though their acceptance will depend on each organization’s IT policy. Android
hardware attestation would be a more appropriate verification approach. As it could whitelist
GrapheneOS without flagging it as a rooted device. Microsoft has not yet clarified whether all
GrapheneOS devices will be universally affected
