Last week, Microsoft introduced a new authentication method to Microsoft Entra ID called QR code. This new authentication method is currently in public preview and satisfies single-factor authentication requirements and is designed but not limited to frontline workers.
The new authentication methods consist of two artefacts, the QR code, which must be delivered to the end user and a PIN which is associated with the QR code and is needed to complete the authentication.
To further clarify there are two types of QR code:
- Standard QR code: The standard QR code, is issued upon creation to the end user with an initial PIN. After the first sign-in the user is asked to change his initial PIN to a PIN only known to the user. The standard QR code is valid for a maximum of 395 days and must be replaced afterwards.
- Temporary QR code: The temporary QR code can be created with a maximum lifetime of 12hours and is intended for situations where a user might show up for work but forgot his badge. In this situation a temporary QR code can be issued to the user for this workday. There is no need to set up a dedicated PIN with that QR code, since the user will be able to use the PIN associated with his standard QR code.
The QR code authentication is supported in the Microsoft Teams app on Android and iOS and on any Microsoft Entra ID login page in a browser on these platforms. Windows is currently not supported.
This authentication method aims to simplify the authentication process for end users by providing a passwordless user experience. Potential use cases for this authentication method are:
- Shift Workers who are using mobile devices configured with Entra shared device mode to perform tasks tailored to their role.
- Frontline workers, who require a convenient and simple to setup authentication method on their mobile devices.
QR code authentication addresses multiple challenges customers may have today:
- Users are reluctant to install the Authenticator app on their personal mobile devices due to privacy concerns or other reasons.
- Frontline workers are not allowed to bring their private devices into work areas to perform necessary MFA prompts, which decreases their productive output.
- Frontline workers loose valuable time due to typing in username and password to use business critical applications.
- Frontline workers might be wearing gloves which makes typing on a keyboard on a mobile device difficult.
baseVISION has been part of the Microsoft Frontline Worker Identity & Device Management: VIP Customer Council. Which is an invitation only group for selected Microsoft partners and customers. During weekly calls Microsoft presented roadmap updates or provided insights into new features such as the QR code authentication. baseVISION has been able to test feedback the QR code authentication as one of the first companies worldwide and provide the product group with valuable insights.
Roles and Responsibilities
The responsibilities in implementing this new Auth method can be summarized as follows:
- IT admin: Represents different roles in IT, from Global admin / Authentication Management admins in Entra ID who setup the new auth method, to Helpdesk personnel which helps generating / resetting QR codes.
- FLM: Front line managers, who oversee a shift of multiple FLW’s.
- FLW’s: Frontline workers which are working with shared devices.
| Phase / Role | IT Admin | FLM | FLW |
|---|---|---|---|
|
Provisioning |
|
|
|
|
Management and Distribution |
|
4. FLW attaches QR code on to physical badge |
|
|
Usage |
|
|
|
|
Reset |
2. IT admin or FLW generate / distribute new QR code and / or PIN |
|
|
Configuring QR code authentication
The new authentication method can be configured in the Microsoft Entra ID admin portal at Protection > Authentication methods
Previously authentication methods and SSPR methods were managed in two different menus’ in Entra ID. Microsoft is now unifying this admin experience.
Customers must complete the migration to the unified experience by September 30, 2025. More information can be found here: How to migrate to the Authentication methods policy – Microsoft Entra ID | Microsoft Learn
Need help with the migration, feel free to get in contact with our experts: Contact – baseVISION AG
IT admins have the possibility to scope the availability of the QR code auth method either to all users or to a specific Entra ID security group. If needed specific groups can be excluded from the QR code auth method.
On the configuration side IT admins have the possibility to configure the following settings:
- QR PIN Length: Microsoft mandates a minimum PIN length of 8 digits, which follows the NIST standard. IT admins can configure the PIN length to a maximum of 20 digits.
- Lifetime of standard QR code: The default lifetime of a standard QR code is 365 days. IT admins can configure the default lifetime in a range of 1 – 395 days.
Important: During the creation of a QR code IT admins still have the possibility to decrease actual lifetime of a standard QR code.
Creating a QR code
Microsoft intended two different operational approaches on the creation of QR codes, the required Microsoft Entra permissions are for both the same, the user must at least have the Authentication Administrator role.
- IT admins: QR codes can be created by an IT admin by either using the Microsoft Graph API or the Entra admin portal.
- Frontline Managers: Microsoft intended to give Frontline managers the possibility to create and manage QR codes for their direct reporting frontline worker colleagues. They can either do this in the Microsoft Entra ID admin portal or the dedicated My Staff admin portal.
Creating a standard QR code from the Microsoft admin portal
IT admins or a frontline worker manager can create a new QR code by navigating to the user’s authentication method blade in the Microsoft Entra ID admin portal.
Once there, the IT admin / FLM can add a new authentication method.
Once QR code has been selected more options become available.
- Expiration: The IT admin / FLM can set the expiration date of the QR code. The expiration date is always generated based on the default token lifetime on the authentication method itself. The lifetime can always be reduced.
- Activation time: The IT admin / FLM can decide when the QR code becomes valid, if it is right now or at a specific point in time.
- PIN: IT admins / FLM’s must create an initial PIN which will then be handed over to the end user. The PIN can either be pre-defined or generated by using the Generate PIN button.
Once the QR code has been created the IT admin / FLM gets access to the standard QR code. This is the only time where the QR code can be downloaded.
In case you are wondering what information is saved in the QR code, the QR code will contain the following information:
- The UPN of the corresponding user
- The QR code ID
- The tenant ID of the corresponding user
Now the QR code has been created and must be printed out and distributed to the user alongside the initial PIN.
Creating a temporary QR code from the Microsoft admin portal
In the case that the user forgets his issued standard QR code an IT admin or FLM can generate a temporary QR code. This can be done by navigating to the user’s authentication methods and selecting the QR code auth.
By selecting + Add Temporary QR code a temporary QR code can be created. Again, the lifetime can be defined which ranges from 1 to a maximum of 12 hours.
After the temporary QR code has been created it is available for download and can be downloaded and distributed to the end user. The user is then able to use the same QR code which has been set on the standard QR code.
Delegating authentication method management to Frontline managers
Microsoft also identified the scenario, that customers want to delegate the management of QR codes to so called frontline managers (FLM’s). The benefit of allowing those managers to issue QR codes, is that IT doesn’t need to be involved into this process. Imagine a FLW working a night shift, forgets his standard QR code and must be issued a temporary QR code. By delegating the permissions to a FLM, he can issue the FLW with a temporary QR code.
To delegate those permissions to FLM’s there are two different Admin portals, which can be utilized by the FLM to manage the FLW’s authentication methods. To do so administrative units must be in place and the FLM must be granted with the Authentication Administrator role on the administrative unit, to be able to manage the user’s authentication method.
Important
Granting the FLM with the Authentication administrator role, will grant more permissions than just managing QR codes. Using the Authentication administrator role, one can:
- Remove / Delete Authentication methods
- Add SMS authentication method
- Reset the Users password
- Issue a temporary access pass (Entra ID only)
Microsoft Entra ID admin portal
My Staff Admin portal
To enable the My Staff admin portal, the feature must be activated in the Entra ID User Settings > Manage user feature settings > Administrators can access my Staff
Enabling QR code authentication
Once the IT admin / FLM’s have issued the QR codes to the FLW, the devices which are used by the FLW’s must be enabled to be able to use QR code authentication.
The setup varies based on the platform, which is used by the FLW.
Setup QR code authentication on Android
To setup QR code authentication on an Android device, IT admins must configure the Microsoft Authenticator app to support QR. IT admins must deploy an App Configuration policy to their devices with the following configuration key:
| Configuration Key | Value type | Configuration value |
|---|---|---|
|
Preferred auth config prefill |
String |
qrpin |
This app configuration key will enable the QR code authentication flow in all supported Microsoft Apps. For this app config policy to work, IT admins must assign the Authenticator app as required to their devices, although the app already gets installed during enrollmnet. If the app is not assigned as required, the app config policy won’t wor!
Important
At the time of writing, Microsoft Teams and Managed Home Screen are the only Microsoft first party app with support for the QR code auth. Other apps might be enabled in the future.
Setup QR code authentication on iOS
On iOS the QR code authentication must again be setup in a different way. Here Microsoft leverages the Apple SSO extensions capability.
This can be achieved by creating an iOS / iPadOS-based policy, of the type Device Features. IT admins must then configure the following settings in the single-sign on app extension section.
| Configuration Key | Value type | Configuration value |
|---|---|---|
|
Preferred auth config prefill |
String |
qrpin |
Assign the policy to your devices.
Experiencing QR code authentication in action
From the Managed Home Screen app (Android only)
Once the devices have been configured correctly, the supported apps will show the FLW the possibility to initiate their sign-in using a QR code. The picture below shows the experience from the Managed Home Screen app.
The user then gets asked to grant the app the permission to use the camera.
Important
- Users will be asked every time if the app is allowed to initiate the camera, this decision was made due to privacy reasons.
- By default, always the back camera of a device becomes active
Once the camera access has been granted, the FLW can scan the QR code.
The FLW must then enter the PIN associated with his QR code. If this is the first sign-in using a QR code, the FLW must use the initial PIN which was generated by an IT admin or / FLM. Additionally, the FLW will be asked to setup a New PIN.
Once the authentication has been completed, the FLW is signed in into his session an can open any app, the admin has made available for him.
will be automatically signed into the respective app. A list of apps which support Shared device mode can be found here: Shared device mode for Android devices – Microsoft identity platform | Microsoft Learn
From any webpage support Entra ID auth
Any web-based application which has been connected to Microsoft Entra ID does also support QR code based authentication on their mobile devices.
To utilize QR code auth FLW’s must perform the following steps:
Select Sign-in options
Select Sign-in to an organization
Select the Sign in with a QR code option
From any webpage support Entra ID auth
Before the QR code authentication method gets enabled and distributed among the business, IT admins should have a look at their Conditional Access policies. Especially policies tailored towards Frontline workers.
QR code authentication can be added to an Authentication strength in Conditional Access and can therefore be included into your current Conditional Access setup.
Just keep in mind that as mentioned above, QR code authentication is a single factor authentication and won’t satisfy Conditional Access policies which use the Grant control of “Require Multifactor Authentication”.
Interested? Don’t hesitate to contact us. We look forward to hearing from you.
Janic Verboon
Teamlead and Senior Endpoint Engineer