I use Authenticator, it works with a few problems:
You will need microG with Cloud Messaging set up to get Authenticator to work.
Sorry, but no. Not in my case as stated above.
Microsoft supports a wide range of authentication concepts for Azure AD, ehh excuse me, Entra ID out of the box, including hardware keys like Yubikey and Webauthm. They leave little to be desired in that regard(and a LOT regarding other stuff 
).
TOTP is supported, and will be supported for the foreseeable future if your IT admin leaves it enabled.
However, they(MS) do not recommend it, and that is not without reason. TOTP has no validation. TOTP can easily be copied from my phone(which has shitty storage encryption, tnx Sailfish) if i didn’t have Foil Auth :), and there is no way of knowing. The QR code can be scanned multiple times, you can make screenshots of it, print it, etcetera.
I love TOTP for it’s simplicity and wide support, but when you have a company with hundreds or thousands of employees you could want(mandatory) something without those inherent weaknesses, especially if you get something arguably better without extra costs.
They also disabled phone(voice code) and SMS by default. MS own Authenticator push notifications are also ‘upgraded’ with a two digit verification code, so it’s impossible to fish for approvals which happened a lot in the real word.
I’m not sure what you mean by validation. The flow is, authenticate (I have a valid user), and present a token entry (keyed to the validated user via auth 1) confirm token? I’ll have to do some research because it seems fishy to me to have: 1. push from a ms product (cough, sorry), 2. a two digit verification code (is that not a bit, ah, short?). I’m a bit ignorant. As you point out, a lot will depend on the Admin.
As far as TOTP, it’s clear it has weaknesses, depending on how you generate and distribute keys. It does not need to be done with QR codes, though that’s the ‘easy’ solution and why it’s the most easily attacked. I’ve mostly hacked on: GitHub - poetaster/apache_2fa: Apache two-factor (2FA) authentication with Google Authenticator based on Time-based One-Time Password (TOTP) or HMAC-based one-time password (HOTP) Algorithms. As you mentioned, FoilAuth has a nice extra auth layer and crypto, so I feal quite at ease with it.
I’ve also been using Webauthm and a Yubikey for, for instance, proxmox credentials and that works quite well, but it’s also not bullet proof.
I guess by validation yomark mean that the OTP secret has not been stolen, a YubiKey with biometrics (very very close to) guarantees that the user is actually the user and not someone who has you phone.
It is: authentication vs authorization.
Ok, but that is always an issue. If I understand correctly, the microsoft authenticator in the wrong hands is also a back door? I never use the second factor on the phone and have no credentials for websites on the phone, so that the phone ONLY acts as 2FA for stuff I do on other PCs. So, how I use my yubikeys.
You lost me here. What is athentication and what authorization in what flow? Authorization merely states which party has what rights. Authentication purports to prove party is said authorized party.
To clarify: Previously second factor by using MS Authenticator worked by a push notification which you only had to approve on your phone. How it works now is that the authentication source presents a random 2 digit code, you then have to enter in MS authenticator to approve.
Ok, I think I understand. Seems VERY odd that they would just use the network and only push a 2 digit code. Where does the push arrive? If it’s not SMS, it’s some service run by MS authenticator? I don’t get where the ‘push’ is helpful? Will probably be compromised next month
MS Cloud sends(push or pull, doesn’t really matter) authentication request(second factor) to MS Authenticator on the phone(that unique app installation is registered with your MS account). Cloud authentication shows a two digit code that you have to enter in the app. The app then sens to code back to the cloud and the code gets validated or not.
Unfortunately last week my company now moved from allowing other OTPs too. Now it’s only MS Authenticator. Seems like the last E of EEE as nephros put it 
Tried these to solve the problem:
I installed Google Play store straight from apk file . It installs, but doesn’t start up ( App stays ‘visible’ but can’t switch to it).
I tried to install MS authenticator from Google Play store itself (using fake account details) but it fails. ( reason could be unsupported device, actual text is that 'you have not used Google Play from this device before).
Any suggestions how to solve this new situation?
OT.
The massive surveillance of ordinary people is becoming more and more intrusive. 
That’s annoying, is there a requirement for employees at your company to use specific phones, e.g. android/ios ones?
I had a similar argument with my bank, and tbh they ignore me ;-(
Whohoo, stay away from Google Play.
Just install F-droid store(F-Droid - Free and Open Source Android App Repository) , and then install Aurora Store from F-Droid(this way everything can autoupdate, including Aurora Store). Then just install MS Authenticator from Aurora store.
Optional:
You could consider to install MicroG(F-droid add microg repository) for push notifications(for MS Authenticator and other Android apps) and probably better battery life.
MS Authenticator push with code is a good security second factor that is included with the more expensive MS365 plans. TOTP has it’s flaws. It’s fine for me personally for my personal stuff. But i can understand that is isn’t for a company.
But for MS it doesn’t matter. Microsoft supports a lot of other options including WebAuthM or FIDO2(Yubikey for example).
Hello!
I use authenticator and «company portal access» with teams on the android support in xperia 10 ii since thia year start. It works fine and never gave me issues. Of course it complain always «This app will not work witouth google services that are not installed on your device» but actually it works
I got also the error on my phone and imho it does not work for push notifications
It works for the other mode where you enter the 6 digits.
But for that you can also use foilauth native app.
Maybe you mentioned it already, but can’t you use the SMS option?
no, SMS option was dropped off a bit earlier before enforcing MS Auth.
I know it’s probably not a solution, but if your company is so strict they should give you a work phone imo. I don’t see an easy way out, unless you can install the app from an alternative app store like somebody already suggested. Huawei app store doesn’t have it, but Aptoide or Aurora could be an option. However, I don’t see how this would be more secure than the SMS option ¯_(ツ)_/¯
Aurora store isnt really an alternative store. It’s an open-source alternative to the google play store and will get you the same ‘original’ apks, downloaded from Google servers, as the real google play store does.