IT teams doing mass phone replacements (100+ devices) face a complex, error-prone multi-step process involving MFA re-registration, temporary passwords, Intune enrollment, and user coordination — with risk of locking users out of their accounts during the transition window.
A workflow orchestration tool that sits on top of Entra ID and Intune, automating the device swap pipeline: auto-generates TAPs, pre-provisions devices via Zero Touch/Knox/ABM, schedules MFA method transfers, tracks per-user migration status, and handles rollback if something fails — all without touching user passwords.
Subscription SaaS — per-device or per-tenant monthly fee, with a free tier for under 25 devices
The pain signals are strong and specific. When this problem hits, it hits hard — 180 phones in two weeks means IT is in crisis mode. Users get locked out, helpdesk tickets spike, productivity drops. The Reddit thread shows real frustration and no clean solution. However, this is episodic pain (every 2-3 years per device cycle), not daily pain, which limits urgency between refresh cycles.
TAM is constrained. Target is M365+Intune shops with 200-5000 employees doing phone refreshes. Estimated ~50K-100K such orgs in US/EU. At $2-5/device for a 500-device swap, that's $1K-2.5K per event every 3 years per customer = ~$300-800/year effective revenue per customer. Realistic ARR ceiling for a solo founder is $500K-2M. This is a solid lifestyle business but not a VC-scale market unless you expand scope significantly.
IT admins have budget authority for tools under $5K/year and hate writing scripts. The ROI math works: 80 hours of admin time × $75/hr = $6K to DIY vs. $1-3K for your tool. BUT: (1) this is a sporadic purchase, not always-on SaaS, (2) procurement for a new vendor at mid-market orgs can take months, (3) free PowerShell scripts exist and 'good enough' is a real competitor. Budget holders need to see this during their planning cycle, not after the fire drill starts.
Microsoft Graph API exposes TAP creation, MFA method management, and Intune device enrollment — the APIs exist. A solo dev with M365 admin experience could build an MVP in 6-8 weeks. HOWEVER: (1) you need Entra ID P1/P2 tenant access for testing, (2) Microsoft Graph permissions model is complex and admin consent flows are finicky, (3) handling edge cases (conditional access conflicts, hybrid AD, guest accounts) adds real complexity, (4) you'll need to pass Microsoft's app verification/publisher verification for enterprise trust.
This is the strongest signal. There is literally no purpose-built product for this. The 'competition' is PowerShell scripts and spreadsheets. Microsoft provides building blocks but no orchestration. Every adjacent player (Silverfort, Duo, Yubico) solves a different problem. When r/sysadmin threads consistently end with 'write a script,' that's a product waiting to exist.
This is the biggest weakness. Phone swaps happen every 2-3 years. Between cycles, the tool sits unused. You can try to force monthly SaaS pricing, but customers will resist paying for something dormant 90% of the time. Potential mitigations: expand to ongoing MFA lifecycle management (new hire onboarding, lost phone replacement, offboarding), add compliance reporting, or charge per-migration-event instead of monthly. Without scope expansion, this is a professional services engagement disguised as SaaS.
- +Massive competition gap — no purpose-built solution exists, market is served by DIY scripts
- +Pain is real, specific, and well-documented across IT admin communities
- +Clear ROI story: 80 hours of admin scripting vs. buying your tool
- +Microsoft ecosystem lock-in means your target customers are easy to identify and reach
- +Regulatory/compliance tailwinds (zero-trust mandates) make 'just disable MFA' increasingly unacceptable
- !Microsoft could ship this as a native Entra ID feature at any time — they own the platform and the APIs. One Ignite announcement kills you.
- !Episodic usage pattern (every 2-3 years) makes recurring SaaS revenue extremely difficult without significant scope expansion
- !Small TAM ceiling — this is a lifestyle business ($500K-2M ARR) not a venture-scale opportunity unless you broaden to full device lifecycle management
- !Enterprise trust barrier: IT admins granting your app delegated permissions to manage MFA and issue TAPs requires significant trust. Publisher verification, SOC 2, and security reviews will be table stakes.
- !Customer acquisition timing is tricky — you need to reach orgs BEFORE they start their refresh cycle, not during (when they've already written their scripts)
Built-in Entra ID Temporary Access Pass, Microsoft Graph API for bulk MFA method management, and Intune for device enrollment — the raw building blocks admins currently stitch together with PowerShell scripts
MFA provider with admin APIs for managing enrolled devices, revoking and re-enrolling MFA methods programmatically across an organization
Agentless identity protection platform that extends MFA to legacy systems and provides identity threat detection without changing existing infrastructure
Hardware FIDO2 security key program that eliminates phone-based MFA dependency entirely — ships keys to employees at scale as a phone-independent second factor
Custom scripts shared across r/sysadmin, GitHub, and tech blogs that call Microsoft Graph API to bulk-issue TAPs, revoke old MFA methods, and send notification emails — the de facto 'competitor' and current market incumbent
Web app with Entra ID OAuth integration that does three things: (1) bulk-import users from a CSV or Entra group, (2) auto-generate and email TAPs with configurable expiry windows per batch, (3) dashboard showing per-user migration status (TAP issued → new device enrolled in Intune → new MFA method registered → old method revoked). Skip Intune auto-provisioning in v1 — just track enrollment status. Ship as a single-tenant Azure App Service deployment the customer runs in their own tenant for trust reasons.
Free tier for <25 devices to get adoption and testimonials → $3-5/device for migration events (pay-per-use, not monthly, to match the episodic nature) → expand to ongoing MFA lifecycle management (onboarding, lost phones, offboarding) to justify monthly per-user pricing at $1-2/user/month → add compliance reporting and audit export for enterprise upsell
8-12 weeks to MVP, 3-6 months to first paying customer. The sales cycle is the bottleneck — you need to find an org actively planning a phone refresh, get through their vendor evaluation, and have them trust your app with admin-level Entra permissions. First revenue likely comes from a direct relationship (MSP partner, former colleague, Reddit community connection) rather than inbound marketing.
- “We are about to change out 180+ cell phones in the next couple weeks”
- “We have a procedure but it doesn't seem like the best but I can't figure out a better one”
- “now the user is left with a cell phone that cannot get by MFA”
- “we have to disable MFA on their account until they do”
- “The biggest thing tripping people up on these rollouts is treating device enrollment and MFA transfer as one atomic step”