How to Enable QR Code Authentication Method in Microsoft 365

A frontline technician races to fix a critical system outage. Time is ticking—but instead of resolving the issue, they’re stuck battling passwords, waiting for SMS codes, or hastily approving MFA push notifications just to log in. These delays aren’t just frustrating; they’re costly. To make matters worse, attackers use this situation to do MFA fatigue attacks when overwhelmed users bypass safeguards for speed.

But you can simplify and smoothen this with the new QR code authentication method in Entra ID!

No more trade-offs between security and efficiency. With QR code authentication, workers scan a unique identifier (their personalized QR code) and enters a short PIN—no passwords, no need to bring costly keys, no waiting for SMS. In this guide, we’ll walk you through how to enable the QR code authentication method in Microsoft Entra ID. But first, let’s break down what it is and why it matters.

QR codes are everywhere, from connecting Wi-Fi, browsing restaurant menus to allowing users to register devices in Entra. It’s just a square pixelated pattern that smartphones can scan to instantly access information. QR codes can encode & encrypt data while ensuring quick access, making them ideal for security applications.

Their blend of security and efficiency makes them a strong choice for first-factor authentication in enterprises. They’ve evolved from everyday conveniences to security solutions. Their blend of security and efficiency makes them a strong choice for first-factor authentication in enterprises.

In Entra ID, QR code authentication consist of a unique QR code and a numeric PIN for a secure, seamless sign-in that eliminates the need for traditional authentication methods.

1. Admins can generate and print these QR codes for users using the Microsoft Entra admin center, My Staff portal, or Microsoft Graph API.
2. The PIN is linked solely to the associated QR code, making it unusable with other identifiers like username or phone number.

This QR code authentication operates as a single-factor method, where the PIN acts as the credential. This method enhances authentication by eliminating the common cyber threats like password spray attacks, credential theft, etc.

QR code authentication works best in specific enterprise scenarios. Imagine you’re managing a busy e-commerce store and want to simplify sign-ins for your frontline staff who use mobile devices. Instead of having your team type long credentials multiple times during hectic shifts, you can set up QR code authentication.

With this method, your employees simply scan a printed QR code to log in quickly, saving time and reducing delays during your busiest hours.

Moreover, QR code authentication offers a practical solution for those who may find investing in expensive hardware keys for temporary or seasonal staff less feasible. You can use printed QR codes for authentication—which requires minimal cost and easily scalable, even with high employee turnover.

Before proceeding with the steps to enable QR code authentication method in Microsoft 365, let’s first understand the QR code authentication requirements.

• Required Role:
  • You must have at least Authentication Policy Administrator role in your tenant to enable QR auth method.

• License Requirements:
  • Each user must be licensed with one of the following licenses to use QR code authentication.
    • Microsoft 365 F1/F3/E3/E5
    • Entra ID P1/P2
    • EMS E3/E5
    • Office 365 F3
  • This method cannot be enabled and work for users with a free Entra ID license.

• Device Requirements:
  • Devices must run Android, iOS, or iPadOS (iOS/iPadOS version 15.0 or later).
  • It’s recommended to enable shared device mode on the shared devices (optional). This ensures that frontline workers can only access specific resources from a compliant shared device by signing in with a QR code.

• Other essentials:
  • For QR code authentication in Teams, ensure the Teams app on the shared device is running these versions.
    • Android version 1.0.0.2024143204 or later
    • iOS version 1.0.0.77.2024132501 or later
  • If you plan for frontline managers to manage QR codes and PINs, consider enabling the My Staff portal.

To simplify things, Microsoft provides the following options to enable QR code authentication method for Microsoft 365 admins.

1. Configure QR code authentication method in MS Entra admin center
2. Set up QR code authentication method through Microsoft Graph API

• Log in to the Microsoft Entra admin center and navigate to Protection → Authentication methods → Policies → QR code (Preview).
• In the Enable and Target tab, select the target users as all users or groups who need to sign in with a QR code, then toggle Enable.

• To update these default QR code settings, switch to Configure tab and adjust them based on your requirement, then click Save.
  • QR Code PIN Length: The default QR code PIN length is 8 digits, but you can set it to up to 20 digits.
  • QR Code Lifetime: You can adjust the lifetime of a standard QR code from 1 to 395 days, with the default being 365 days.

Note: You can also set a custom lifetime for the QR code when assigning the QR code authentication method to a specific user if their access needs are temporary or require a specific validity period.

To enable QR code authentication using Microsoft Graph Explorer, make sure you have consent to the permission Policy.ReadWrite.AuthenticationMethod.

Then, set the HTTP Method to PATCH, Version to beta, and enter the following API Endpoint in the query field.

Next, enter the following request in the Request body field and hit Run query.

In this example, we have enabled QR code authentication for all users, with a PIN length of 8 digits, and a standard QR code lifetime of 365 days. You can change the values based on your requirements.

Now that QR code authentication is enabled for users, let’s explore how to generate a unique QR code for a user so that he can use it for sign-in. To add the QR code authentication method for a user, you can follow the given below methods based on your use case.

1. Add the QR code authentication method for any user from Entra admin center [or]
2. Use My Staff portal to assign QR code authentication for frontline workers

• In Microsoft Entra admin center, navigate to Identity → Users → All users. Then, click on the user for whom you want to enable QR code authentication.
• Next, select Authentication methods → Add authentication method and then choose the QR code (Preview) from the Choose method drop-down.
• Modify the Expiration date if needed and set the Activation time to now or later.
• You can enter your custom PIN or use the Generate PIN option if you prefer a system-generated temporary PIN.
• QR code authentication is a single-factor authentication method that relies on a PIN as a credential, a piece of information known only to the user.

• Next click Add. The QR code authentication method will be added to the usable authentication method for the user and the QR code will be generated.
• Then, copy the PIN and click Download image to save the QR code.

This method is only for those who manage frontline workers, if you have already followed Entra method, you can ignore this. It allows you to assign QR code authentication to users within specific administrative units (e.g., by store or department). It is perfect for delegating user management tasks to frontline managers.

Let’s see the steps to assign QR code authentication method for a user in My Staff portal.

• Log in to the My Staff portal, select the administrative unit and the desired user to add QR code authentication method.
• Next, click Manage QR code authentication method and select the Add QR code method.
• Adjust the Expiration date if needed and set the Activation time to now or later. Click Download or Print QR image based on your requirement to save the QR code. Then, hit Copy PIN and Done.

Now you can share this QR code and PIN with the designated user so that they can use them to login from mobile devices.

Important Note:

• This QR code authentication method doesn’t work on desktop apps.
• The temporary PIN assigned during the QR code generation will be updated during user’s first sign-in using QR code.
• The downloaded QR code image is already optimized for printing. Reducing its size may affect readability by devices.
• The same QR code can’t be regenerated since it is unique. If the QR code doesn’t work, delete it and create a new one.

Having covered the administrative setup for enabling QR code authentication, let’s now turn our attention to the end-user perspective. In this section, we’ll walk through the user sign-in process, showcasing steps that end-users or frontline workers need to follow for successful sign-in with QR code.

Users can sign in with a QR code through the mobile web browser or an optimized mobile app.

Mobile web browser sign-in with QR code

• Open web browser in your smart phone and browse https://login.microsoftonline.com/. Then, click on the Sign-in options.
• Select Sign in to an organization → Sign in with a QR code. Then, allow camera access.
• Now, scan the QR code and enter the PIN which is shared by your admin on frontline manager.
• If you’re logging in for the first time with QR code, it’ll ask you to change the current PIN.
• Enter the current PIN and specify the new PIN. The PIN must follow the specified length set on the authentication method.

Mobile application sign-in with QR code

• You can enhance your app’s sign-in experience by adding QR code authentication using the Microsoft Authentication Library (MSAL).
• This method streamlines the process, reducing steps for users, similar to the sign-in experience in Teams or Managed Home Screen (MHS).
• The optimized QR code authentication feature is supported in both Android apps and iOS apps through BlueFletch and Jamf app launchers, making sign-in faster and more efficient.

Similar to adding QR code authentication for a user, you can edit or delete the QR code for a user by using the Microsoft Entra admin center and My Staff portal.

• To manage QR code for a user, navigate to the user’s authentication methods section in the Entra admin center.
• Click ellipsis on the QR code (Preview) under Usable authentication methods and select the Edit option.
• Now, you can modify the expiration date and PIN of the standard QR code. If a standard QR code is expired or stolen, you can delete it with the Delete button.
• To add new standard QR code, click the Add Standard QR code option and choose the expiration and activation time, then hit Add.
• If you need to reset a user’s PIN, click the pencil icon next to the masked PIN, select Generate new PIN, and confirm the reset.
• In some scenarios frontline users may have forgotten to bring or lost their QR code. In these situations, you can generate temporary QR code, which you can set expiration between 1 – 12 hours.
• To add temporary QR code, click the Add Temporary QR code and specify the lifetime (in hours) & activation time, then click Add.
• You can delete this temporary QR code using the Delete button provided under Temporary QR code or you can let it expire.

• In the My Staff portal, select the QR code auth enabled user from administrative unit, then select Manage QR code authentication method.
• You can now change the expiration date for a standard QR code using the Edit option.
• To delete a standard QR code, click Delete and confirm. To add a new standard QR code, click Add new, set the activation time and expiration date, then click Add.
• Afterward, download or print the QR code and click Done. For a temporary QR code, click Add new, specify its lifetime in hours and activation date, then click Add.
• To reset a PIN, click Reset PIN, then click Copy PIN to copy it to your clipboard.

When you want to delete the QR code authentication method for a user,

• In Entra admin center, click ellipsis on the QR code (Preview) under Usable authentication methods and select the Delete option on the user’s Authentication methods section.
• In My Staff portal, click Delete QR code method on the user’s Manage QR code authentication method section.

As the QR code authentication method is a first-factor authentication method, it’s important follow given best practices to keep your organization safe and secure.

• Targeted Deployment for Frontline Workers:
  Instead of rolling out QR code authentication for every user, configure it exclusively for a specific group such as frontline workers using targeted settings in Microsoft Entra Authentication method policies.
• Phishing-Resistant Methods for External and Information Workers:
  For external users or internal information workers who may access resources from outside the secure network, configure passkeys or phishing-resistant MFA for secure login. This ensures that high-value accounts remain protected against phishing and other attacks.
• Layered Security with Conditional Access:
  Combine QR code authentication with Conditional Access policies. For example, require approved app, restrict access to resources based on trusted networks and enforce shared device mode where applicable. This additional layer reduces risk if someone compromises a QR code.
• Responsive Handling of Lost or Stolen QR Codes:
  Take immediate action to remove or replace QR codes if a code is lost, stolen, or compromised. This may involve automated workflows or clear support channels to quickly disable compromised codes and issue new ones.
• Prevent Brute-Force with Smart Lockout:
  To further secure QR code authentication, configure smart lockout in Entra that temporarily disables access after a series of consecutive incorrect PIN entries. This helps prevent brute-force attacks by detecting and mitigating multiple failed attempts.
• Monitor Sign-in Failures and User Training:
  Regularly auditing sign-in failures in Microsoft 365 is an important part of strengthening authentication. It will give you insights into what causing sign-in failures such as attacker trying to intrude, strict CA policies, etc. Along the way educate users on best practices such as not writing down their PIN on the QR code badge, avoid using common patterns or repeated sequence of digits in PIN.

In conclusion, by enabling QR code authentication method exclusively for targeted groups, organizations can simplify sign-in while maintaining a security posture. We hope this blog has given you insights on the enabling new QR code authentication method in Microsoft Entra ID. If you have any questions or require additional help, please feel free to leave a comment below.