Microsoft Entra ID: QR Code Authentication Method (Preview)
 |
| Entra ID QR Code |
In mid of February, Microsoft announced
a new Entra ID authentication feature called “QR Code Authentication”
for frontline workers. According to Microsoft documentations, this new feature
is designed to make signing in faster and easier for frontline workers.
This is the Microsoft
announcement in summary:
“We are introducing a new
simple way for Frontline Workers to authenticate in Microsoft Entra ID with a
QR code and PIN, eliminating the need to enter long UPNs and alphanumeric
passwords multiple times during their shift.”
So, my friends, Today I am going to share about my findings and experience about this new Entra ID feature. Okay,
let’s dive into the topic.
What is QR Code Authentication?
This authentication method is
primarily designed for frontline workers to speed up their sign-in process to
apps and shared devices. This method includes a unique QR code and a numeric
PIN. This QR code is unique to every user. Also, it can be downloaded and
printed by using the Authentication Methods Section of Entra Admin
center, My Staff portal and Microsoft Graph. For easier access, this can be
attached to the worker’s badge or any other wearable item.
Apart from that, administrators
can provide a temporary PIN for users, which can be changed during sign-in. That
PIN is bonded to the QR code only it cannot be used with other identifiers such
as username or password or mobile number. Moreover, this authentication method can
identify as a Single-Factor method in which the PIN is a credential.
This authentication method is primarily for frontline
workers and not for information workers. Microsoft highly recommend
phishing-resistant authentication or MFA for information workers.
This feature can be mainly used for these frontline workers:
- Retail & Hospitality
- Healthcare
- Manufacturing
- Warehousing
- Logistics
- Transportation
What are the Prerequisites we need to enable QR Code authentication Method?
- Microsoft Entra ID tenant with F1, F3, P1
license.
- Android, iOS or iPadOS shared devices.
- Shared Device model needs to be enabled on shared devices.
- Configure My Staff Portal as per the administration requirement.
- Printer to print the QR codes in 2”x 2” size.
Now, let’s look at how to enable this QR authentication method
in Entra ID. You can follow the steps below to configure and generate a QR and
PIN for user’s single-factor login.
First, we need to enable the feature in Policies from
Authentication Methods page.
Path for enabling the feature:
- Home > Protection > Authentication Methods > Polices > QR Code (Preview)
- Click Enable > Add Users or Groups > Change PIN length & Lifetime if need > Save
 |
| Enable QR Code |
 |
| Set PIN length & Lifetime |
Then we can configure this method to the users by following
these steps.
- Log-in
to the Microsoft Entra admin center.
- Select Users > All
users.
- Find the
relevant user and open their properties page.
- Select Authentication
methods > Add authentication method.
- Select QR
code (Preview) from the list.
- Define
the PIN length and expiration (the maximum length is 13 months).
- Select
it to be activated now or on a specific date and generate or define a PIN
code.
- Click
Add.
 |
| Configure QR code |
Once you complete the setup, the QR code and PIN will display in the Authentication Methods page. You may need to download the and save the QR code and PIN because this needs to be provided to the user.
 |
| QR Code & PIN |
QR code & PIN are displayed
only once on the page, and you cannot see them again once it closes. But you
can change the PIN as you want. Also, we can delete the existing QR code, PIN as
per needs. We also can use Microsoft Graph PowerShell to generate these QR
codes and PIN codes as well.
 |
| Generated QR Code |
Also, admins can enable My Staff portal for letting frontline
managers such as supervisors, team leads, executives to manage the password
resets, QR code setup and other authentication features of their staff.
 |
| User Settings - My Staff Portal |
 |
| Authentication Settings - My Staff Portal |
To do that, we need to create an
Administrative Unit in Entra ID and needs to assign admins (Frontline Managers)
and users (workers) to the unit.
 |
| Administrative Units |
How Could Be the Sign-in Experience Looks Like?
 |
| User Experience |
Once everything’s set up, frontline worker can use their shared android, iPad or iOS devices to authenticate their user accounts to the desired apps and resources.
- Navigate to https://login.microsoftonline.com/ using the web browser of the shared device.
 |
| My Login Portal |
- Click Sign-in Options.
- Select Sign into an Organization.
 |
| QR sign-in Option |
- Click the “Sign in with a QR Code” option.
- Scan the previously downloaded QR code and enter the PIN to complete the sign-in process.
 |
| Scan the QR code |
However, I tried to do this method in my testing environment, but I couldn’t authenticate the relevant user (Cargo Loader 01) via the QR code as expected. It says “We can’t sign you in with that QR code. Scan the one provided by your organization” as mentioned in the screenshot. I assume this error is occurring because I am using my personal mobile phone instead of using a shared device or it could be an unknown issue. Since this is still under the preview version, this type of issues might be raised. I am still finding a solution for this issue and will update you all once I find a fix for this issue.
In my opinion, there is a chance for
hackers to phish this experience. They can use some social engineering techniques
to get QR and PIN from the workers. Because I hope most of the frontline
workers are having limited tech knowledge than the IT workers. So, I think we
must be more aware of these phishing attacks and educate the workers to avoid
these kinds of threats and try to enhance the security in these authentication
methods.
Final Thoughts
The QR code authentication method in Microsoft
Entra ID could be a game-changer. It will make logging in faster, safer,
and easier. especially for frontline workers. With a simple scan-and-go
system, and this could be the future of authentication for shared devices with
more security and reliability.
So, guys, If your organization wants to improve security
and efficiency, now’s the perfect time to try it out! 💡
If you want to have a deep dive into this new feature. refer these official Microsoft documentation and guides:
Have thoughts or questions? I'd love to hear from you! Drop a comment below, and let's discuss more…!!!
Also, I would like to invite you to read my other articles as well:
 on Entra ID ){kind=link}
0 Comments