Microsoft Entra offers an innovative solution for fast and secure access: sign-in with QR code. This method simplifies the sign-in process while ensuring a high level of security. QR code sign-ins are ideal for employees in industries such as hospitality, production, logistics or healthcare who have to sign in to different devices several times a day.
The QR code sign-in eliminates the tedious typing of user names and passwords. Instead, the user simply scans the QR code with their smartphone, enters the PIN and the sign-in process begins.
This blog post explains how to implement the QR code authentication method, how to issue a QR code for the user, and how the user can successfully sign in to a device using it.
The QR code authentication method is currently in public preview.
Prerequisites and Licensing
Licences
To enable user sign-ins with QR codes, a Microsoft Entra F1, F3 or P1 license is required.
An overview of Microsoft licensing packages and their features can be found at https://m365maps.com/.
Roles
The following roles are suitable for configuring and issuing QR codes according to the principle of least privilege:
| Role | Authorisation |
| Authentication Policy Administrator | Configuration of authentication methods |
| Authentication Administrator | Managing authentication methods for non-administrative users |
App
Microsoft Teams App installed on the device.
- Android version 1.0.0.2024143204 or later
- iOS version 1.0.0.77.2024132501 or later
Enable QR Code Authentication Method
To enable users to sign in using a QR code, this authentication method must be activated in the Microsoft Entra admin center.
Sign in to the Microsoft Entra admin center (https://entra.microsoft.com/) > Protection > Authentication methods > Select Policies and QR code.
In the Enable and Target tab, switch on the Enable button and select All Users. If required, individual groups can also be included or excluded.
The following options can be set in the Configure tab:
QR PIN Length (1)
PIN length between 8 and 20 characters (NIST standard).
Lifetime of the standard QR code (2)
By default, the QR code is valid for 1 year. The duration can be reduced to 1 day or increased to a maximum of 13 months.
Click on Save.
The QR code authentication method is now enabled.
Issue QR Code
A QR code with PIN can be issued for each authorised user.
Sign in to the Microsoft Entra admin centre (https://entra.microsoft.com/) and select the users under Identity > Users > All users.
Authentication methods > select Add authentication method.
- Select authentication method QR code
- Set Activation time
- Create PIN code manually or with Generate PIN
- Create QR code with Add
- Note PIN
- Download QR code as image
After closing this window, the QR code can no longer be displayed. If the QR code needs to be displayed or downloaded again in the future, the existing one must be deleted and a new one issued.
The QR code is successfully issued and can be used by the user for sign-ins.
Sign In with QR Code
At the time of this blog post, QR code sign-ins are supported on mobile devices with iOS, iPadOS and Android, for example for Microsoft Teams or web sign-ins.
Below is a web sign-in:
Open https://login.microsoftonline.com in the browser of the mobile device and click on Sign-in options.
Select Sign in to an organisation
Select Sign in with a QR code
Scan QR code
Enter PIN
The PIN must be changed at the first login.
The PIN length must correspond to the settings of the authentication method (at least 8 characters according to the NIST standard)
The sign-in is successfully completed.
Follow me on LinkedIn and Bluesky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!
