Getting Started
- Overview & Company
  - About Identity and Access Management
  - About Evo Security
- Initial Setup & Requirements
  - Evo Prerequisites & Supported Operating Systems
  - Getting Started: MSP Onboarding Guide
  - Evo Authenticator Mobile App 5.1.x (iOS and Android)
  - Evo Supported Authentication Methods
Product Release Notes
- Product Release Notes
  - Product Release Notes
Directory Integrations
- Environments
  - What type of Directory do I need?
  - Directory Integration: Entra ID (formerly Azure Active Directory)
  - Set up Evo on Active Directory (LDAP)
  - Sync with Google Workspace
  - Evo Cloud: Directory-As-A-Service Setup and Installation
  - Unsupported - Microsoft Azure Virtual Desktop
Deployment & Configuration
- Advanced Configurations
  - How to protect Remote Desktop using Evo Security (RDP Support)
- Scripts & Automation
  - Deploy & Uninstall Evo Agent via PowerShell
  - Deploying the Evo Agent using ConnectWise RMM
- Branding & Customization
  - How do I update the Logos to match my company brand? (Web Page and Agent)
Product Information
- MFA
  - Getting Started: Multi-Factor Authentication
  - Setting up Microsoft Authenticator for MFA
  - Email Campaigns for Onboarding Users
- SSO/ SAML
  - What SAML integrations are available?
  - Passwordless Login
  - How do I add a rule for single sign-on (SSO) expiration
  - Identity Provider (IdP) Login
  - Connect Web Apps via SAML with Evo: Version 3
  - Azure AD/On-Prem AD Hybrid Environment - Federating Microsoft 365 Domain
  - Azure AD - Federating Microsoft 365 domain
  - WS-Federation integration for Office 365 login
  - Setting up SAML with Salesforce
  - Setting up SAML with Dropbox
  - Setting up SAML with Liongard
  - Setting up SAML with Auvik
  - Setting up SAML with Domotz
  - Integrating Evo with IT Glue
- Tech Elevation
  - Getting Started: Technician Elevation
  - Technician Elevation: Extended User Access Control session
  - Technician Elevation: Just-in-Time Accounts
  - Local Admin Accounts
  - Web Accounts
- End User Elevation
  - Getting Started: End User Elevation
  - Usage Guide: End User Elevation
  - End User Elevation: Custom Branding
- Help Desk Verification
  - Getting Started: Help Desk Verification
  - Help Desk Verification with Microsoft Authenticator and Evo Secure Login
- Agents
  - Windows Agent Deployment
  - LDAP Agent Settings Editor
  - macOS Agent Deployment
  - How do I update Evo software?
- RADIUS
  - Getting started: RADIUS Server
  - RADIUS - Secure RADIUS Servers with TLS/radsecproxy (CVE-2024-3596)
Evo Portal
- Navigation & Managment
  - Welcome to the Evo Portal!
  - Policies Page
  - Deployment Tokens
  - Access Tokens
  - Keys (Hardware Keys) Page
  - Role-Based Permissions / List of Roles
- User & Directory Management
  - How do I manage my user licenses? (Billing and Administration)
Integrations
- PSA & Password Sync Integrations
  - Evo Password Integration with ITGlue
  - Integrating Evo with Halo PSA
  - Evo Password Integration with Hudu
  - Evo Integration with Autotask
  - Evo Integration with ConnectWise
- Microsoft EAM Integration
  - Microsoft EAM integration
User Onboarding & Guidance
- MFA & Access Behavior
  - How does the "MFA Status" toggle work?
  - MFA Grace Period
  - Temporary Authentication Lockout
- Account Management
  - How do I reset my Evo password?
  - How do I see authentication activity?
  - How do I convert user types?
  - How do I manage my users / users devices?
- End User Documentation
  - How do I register my device?
  - Evo Authenticator watch app
  - Using Evo Secure Login (End User)
  - Using Evo Security (End User) - Azure AD
  - Using Evo Security (End User) - Active Directory
Troubleshooting & FAQs
- Directories Troubleshooting
  - Troubleshoot issues with the Evo LDAP Agent
  - On-prem AD Virtual Machine hosted on Azure (timeout settings)
- Secure Login Troubleshooting
  - Error: Login Denied due to Temporary Lockout
  - Error Message: the account is disabled or not found
  - How to Fix Secure Login Always Requests Offline Code
  - How to use Offline code to login to Windows machine without Internet
  - Evo Secure Login for Windows / Troubleshooting Secure Login
- Elevated Access Troubleshooting
  - Error: The user has not been granted the requested logon type at this computer
  - How to Troubleshoot Elevated Access / Domain Accounts
- Mobile App Troubleshooting
  - Troubleshooting Evo Authenticator Mobile App Issues
- End User Troubleshooting
  - User cannot login after changing email
Support & Resources
- Support & Resources
  - Support & Feature Requests
  - Common Support Issues
More

Setting up Microsoft Authenticator for MFA

Last updated on February 18, 2026

Microsoft Authenticator is now available as an authentication method in the Evo Portal for users synced from Microsoft Entra ID (formerly Azure Active Directory).

Prerequisites

Azure Permissions

Before enabling Microsoft Authentication or using the Microsoft Help Desk Verification (HDV) flow, confirm the directory has the required Azure/OAuth permissions.

Important notes

Directories created on Evo before January 2025 may not automatically include the required Azure permissions for:

Microsoft Authentication

Help Desk Verification (HDV)

You may be prompted to grant these permissions:

During directory configuration, or

While completing the Help Desk Verification flow.

Only users with the Edit Directory permission can grant the required OAuth permissions on these screens.

If you can’t grant permissions

Verify your admin role includes Edit Directory, or ask a Portal Admin to update your role/permissions.

Ensure Azure Multi-Factor Auth Client, Azure MFA StrongAuthentocationService, Azure Multi-Factor Auth Connector are listed as an Enterprise Application and Enabled

Note: These settings are required for the feature to work and are typically enabled by default. If you encounter issues, verify these settings first as part of your initial troubleshooting steps.

• Navigate to Microsoft Entra ID → Enterprise Applications • Search for: Azure Auth ◦ Ensure search filters are turned off • Open each Application • Ensure: ◦ Enabled for sign-in = Yes • Save changes

Configure Microsoft Authenticator in an Evo Portal policy

To allow Microsoft Authenticator as an MFA option, you’ll need to enable it within an Evo policy.

Steps

In the Evo Portal, navigate to Evo Admin → Policies.

Click + New (top-right).

From the policy type dropdown, select Allowed Authentication Methods.

In the available methods list, select Microsoft Authenticator as an allowed MFA method.

Save the policy and apply it to the appropriate Tenant.

User device setup (Microsoft Entra ID users)

Users synced from a Microsoft Entra ID (Azure) directory must register Microsoft Authenticator in Microsoft before it can be used in Evo.

Steps

Go to https://mysignins.microsoft.com/security-info

Select + Add sign-in method

Follow the prompts to add and complete setup for Microsoft Authenticator

Ensure the default method is set correctly

If a user has multiple MFA methods registered in Microsoft (for example, SMS and Authenticator), Microsoft Authenticator push notifications must be set as the default sign-in method.

Steps

Go to https://mysignins.microsoft.com/security-info

Select Change next to “Sign-in method when most advisable is unavailable”

Choose App-based authentication – notification and save your changes

Did this answer your question?

😞

😐

🤩

Getting Started: Multi-Factor Authentication Email Campaigns for Onboarding Users