Use QR Code Authentication for secure and lightweight logins

QR codes are now in preview in Entra ID, and this is a login method designed exclusively for mobile devices (Android/iOS). It is important to keep in mind that this is primarily for Frontline workers. Frontline workers are employees who are typically in customer-facing or operational roles, such as retail associates, healthcare staff, factory workers, or field technicians. These workers often use shared devices and require quick, secure access to resources in your tenant without complex authentication processes.

How does it work?

As already mentioned, signing in with QR codes is meant for users with mobile devices, primarily frontline workers, and is an alternative to enter usernames and passwords on an Android/iOS device. The user scans their QR code with their mobile device and use a PIN-code to confirm their identity. This feature has been in preview for a little while and now the documentation has been published as well (link).

🚨Security considerations for QR code authentication

Note that this method is considered Single-factor Authentication, since the PIN code is the credential, and the QR code itself is the identifier. While QR code authentication offers a fast and convenient way for frontline workers to access resources, it’s important to be aware of potential security risks:

• Unauthorized Access: If a QR code is leaked or improperly stored, unauthorized individuals could attempt to gain access.
• Device Vulnerabilities: Since authentication is tied to mobile devices, lost or compromised devices could pose a security threat.
• QR Code Tampering: Attackers could replace or spoof QR codes to redirect users to malicious login pages.

✅Some best practices for QR code authentication

• Conditional Access: Use Conditional Access policies to increase your security with not only MFA, but also Compliant devices and sign-in only within the company network.
• Limit distribution: QR Code Authentication should be limited to Frontline workers only.
• Require longer and stronger PIN codes: PIN codes are by default 8 digits minimum, consider longer PIN codes (but not too long). Also train and encourage users to avoid predictable patterns. Microsoft has a feature to block very common patterns but training your users is never a bad thing.
• Educate users: Train frontline workers on how to safely use QR codes and recognize phishing attempts.
• Don’t forget the human factor: Replace QR codes that are lost or stolen. Users must be taught to immediately report stolen or missing QR codes and/or devices used for this sign-in method.

Prepare Entra ID to allow QR code authentication

Log in to Entra ID, select “Authentication Methods” and “QR Code (Preview)“

Make sure you Enable the method, and if needed, scope it to a group of users and click save at the bottom. I recommend that you limit this feature for your Frontline workers.

Under “Configure” you can change the PIN code length (default 8 digits) and Lifetime of a standard QR code (default 365 days).

Configure QR code for the user

Now we will configure QR sign-in for the user Miriam who is within the scope set in the previous chapter. We open her account in Entra ID, select “Authentication methods” and we see that she has several MFA methods but no QR code defined. So we select “Add authentication method” in the top.

Notice we can now select “QR code (preview)” which gives us options for when the QR code should expire, it’s activation time and its PIN code. We can either set a PIN manually or have the system generate a random PIN by clicking on “Generate PIN“. This PIN code is only temporary and must be changed at first sign-in.

When you are done, select “Add” at the bottom

The PIN and QR code are now shown and make sure you download it now, it will not be shown again. Use “Download image” button below. The user will be required to change the PIN code after the first sign in.

Now the admin can print the QR code on a label for instance, which the Miriam can keep on her or attach to her company badge for easy access. This part can also be delegated to a manager so IT doesn’t have to handle the QR code distribution.

The PIN code should of course be memorized and NEVER written down. Yes, we must continue with user training, even on the basics!

Let us login with the QR code

We are ready to test with Miriam’s account, but first a friendly reminder: We sign in with QR codes on a mobile phone, not on a computer. 😉

On the mobile device, an android in this demo, I open a web browser and navigate to login.microsoft.com. Instead of typing a username I click on “Sign-in options” below.

On the next screen select “Sign in to an organisation” and then tap “Sign in with a QR code“.

Now the camera open on her phone and Miriam can scan the printed QR code she has with her while at work. After scanning the QR code, Miriam is prompted to change her PIN (this only happens the first time after a PIN is set) and perform any additional MFA checks.

Miriam has now signed in on her mobile device using a QR code and has access to her resources in M365.

What if the user loses the QR code or PIN code?

We are still humans and users are bound to misplace or forget their QR code or PIN Code. So what do we do? Well, after the QR code has been set up we take quick look on the “authentication methods” settings for Miriam in Entra ID again. Here we locate the QR code and select “Edit“.

Here we see a couple of interesting choices. You can set a new PIN code the user. The PIN must be changed after first sign-in, and the admin can NOT read the current PIN code.

In addition, an admin can create a new, temporary QR code. This temporary QR code is meant as a temporary replacement if the standard QR code in unavailable. For example, the user left it at home. This temporary QR code has the same PIN as the standard QR code, but it has a much shorter lifetime. 3 hours is default and 12 hours is maximum lifetime. Besides this, a temporary QR code works the same way as a standard one.

Wrapping it up

QR code authentication in Entra ID is a simple and secure way for frontline workers to sign in quickly. Since this method relies on a PIN as the credential, you should absolutely construct additional security layers! Like filtering by device compliance or exploring multi-factor authentication (MFA) for a stronger protection. Keep in mind that your identities is the key to everything in M365, so why not take a moment to review your current security setup?