Events
9 Apr, 3 pm - 10 Apr, 12 pm
Code the Future with AI and connect with Java peers and experts at JDConf 2025.
Register NowAuthentication methods in Microsoft Entra ID - QR code authentication method (Preview)
QR code authentication method enables frontline workers to sign in efficiently in apps on shared devices. Users can use a unique QR code provided to them and enter their PIN to sign in, eliminating the need to enter intricate usernames and passwords. Currently, QR code authentication is supported only on mobile devices that run iOS/iPadOS or Android.
QR code authentication is a simple authentication method primarily designed for frontline workers. It consists of a unique QR code and a numeric PIN. The QR code serves as an identifier and is unique to the user. It can be downloaded and printed by using the Microsoft Entra admin center, My Staff, or Microsoft Graph. For convenience, the QR code can be attached to a badge or any other wearable item.
Authentication Administrators provide a temporary PIN to users, who then change it during sign-in. Only the user knows the PIN. It's exclusively bound to the QR code only. It can't be used with other user identifiers, such as a username or phone number. QR code authentication is a single-factor method in which the PIN (something you know) is a credential.
| Benefit | Description |
|---|---|
| Easier and faster sign-in | Frontline workers don't have to enter complex usernames or passwords to sign in multiple times into shared devices throughout their shift. |
| Inexpensive | Printing a QR code costs less than a hardware key, which can be cost prohibitive for organizations with temporary frontline workers. |
The following policies are applied when an Authentication Policy Administrator creates or resets a PIN.
| Policy | Values |
|---|---|
| Allowed characters | Numbers (0-9) |
| Unallowed characters | - Characters (A-Z, a-z) - Symbols (- @ # $ % ^ & * - _ ! + = [ ] { } | \ : ' , . ? / ` ~ " ( ) ; < >) - Unicode characters - Blank space |
| Minimum PIN length | 8-20 digits |
| PIN complexity | Enforced to avoid repetition and common sequences. The following patterns are checked: - Don't contain 0123456789 or 9876543210. - Don't repeat a sequence of 2-3 digits in the PIN, like 121212, or 123123 or 342342. An Invalid PIN error appears if the PIN includes unallowed characters or is less than the minimum PIN length. |
We recommend the following measures when you enable QR code authentication method as it's a single-factor authentication (something you know).
- QR code authentication is primarily for frontline workers (FLW) and not for information workers (IW). We recommend phishing-resistant authentication or MFA for IW.
- Combine QR code authentication with Conditional Access policies as another security layer. We recommended policies such as compliant devices, access within network, allow for certain applications, and shared device mode.
- Enforce phishing-resistant authentication or MFA when users access resources from outside of the store or workplace network.
- Replace QR codes that are lost or stolen.
Authentication Policy Administrators can enable QR code in Authentication methods in the Microsoft Entra admin center. QR code authentication is disabled by default.
In the Authentication method policy for QR code, you can configure:
PIN length: 8-20 digits.
Lifetime of standard QR code: 1-395 days. Default is 365 days. An Authentication Policy Administrator can change the default value when they add a standard QR code for a user.
For example, an admin can set the value to 30 days in the Authentication method policy. For every user in that tenant, the default expiration of a standard QR code is 30 days. An admin can change the default lifetime of the standard QR code for a specific user.
In this screenshot, the PIN length is set to the default of eight digits. The lifetime for the standard QR code is reduced to 200 days.
When an Authentication Policy Administrator adds the QR code authentication method for a user, it generates a standard QR code and PIN. To create a temporary QR code, they need to edit the QR code authentication method.
A temporary QR code helps when a user forgets to bring their badge with standard QR code. It has a shorter lifetime, up to 12 hours. When a QR code authentication method is deleted for the user, they can't sign-in with their existing QR codes and PIN.
A PIN works with both standard and temporary QR codes because PIN is valid for the QR code authentication method. An Authentication Policy Administrator can provide a custom PIN or generate a PIN when they create a QR code authentication method. They can copy a temporary PIN only when they generate it. The PIN is then masked to prevent exposure.
The usability states for a standard QR code, a temporary QR code, and the PIN for a QR code authentication method aren't related to each other. For example, an active QR code authentication method can have a deleted or expired standard QR code, and an active temporary QR code. At any given point of time, there can be only a single active standard QR code and a single active temporary QR code.
The following table lists examples for combinations for the states for a standard QR code, a temporary QR code, and PIN. An active QR code and active PIN are required for successful authentication.
| Standard QR code | Temporary QR code | PIN for QR code authentication method |
|---|---|---|
| Active | Doesn't exist | Temporary, or user updated |
| Active | Active | Temporary, or user updated |
| Deleted | Doesn't exist | Temporary, or user updated |
| Expired | Active | Temporary, or user updated |
| Expired | Expired | Temporary, or user updated |
For more information about how to manage QR codes, see How to enable the QR code authentication method in Microsoft Entra ID (Preview).
Users can sign in with a QR code by using the web sign-in experience or an optimized app sign-in experience.
You can use Microsoft's web browser sign-in experience (login.microsoft.com) to authenticate users. Users can click Sign in options > Sign in to an organization > Sign in with a QR code.
You can optimize sign-in for your apps by using Microsoft Authentication Library (MSAL) to add QR code as an option on the sign-in page. For example, you can add QR code sign-in just like Teams or Managed Home Screen (MHS). Then users can scan the QR code with two fewer clicks. This optimized sign-in experience is available in BlueFletch and Jamf app launchers.
For more information about how to optimize the sign-in experience, see:
- Set up optimized QR code authentication experience in Android app
- Set up optimized QR code authentication experience in iOS app
- Self-service PIN reset for users
- Bulk provisioning of QR code and PIN
- QR code scan by barcode scanners
- QR code authentication doesn't work with desktop apps or browsers
- Custom tenant endpoint for sign in
Additional resources
Training
Module
Improve sign-in security with Microsoft Authenticator - Training
Improve Microsoft Entra sign-in security by running a registration campaign to nudge users to set up Microsoft Authenticator push notifications as their default sign-in method.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.