A New Day, A New Method: QR Code in Entra ID
Microsoft Entra ID now offers QR code authentication to enhance security and streamline user access. This feature aligns seamlessly with the Microsoft identity platform. Frontline workers often share mobile devices and must sign in repeatedly to access store or field apps, which can be slow and frustrating. To address this, Microsoft has just released QR code authentication for Entra ID.
THIS FEATURE IS IN PUBLIC PREVIEW.
Entra ID evolves to support passwordless, frictionless identity access, and one of the latest additions to the authentication arsenal is the QR code sign-in. This sleek and efficient method allows users to log in to devices simply by scanning a code with Microsoft Authenticator.
According to Microsoft’s official documentation, QR sign-in is built for frontline scenarios, shared devices, and kiosks, where typing a username and password isn’t ideal or secure. Instead, the user pulls out their phone, scans a code, and gains access—no keystrokes, no credentials, instant login.
But here’s the reality: This is more than a convenience feature — it’s a new authentication auth method flow.
How QR Code Sign-In Works
QR code authentication is configured just like other Entra ID methods. An administrator enables the QR code method in the Entra ID admin center (or via Graph API – in Public Preview it’s still limited) and assigns it to specific user groups. Next, the admin generates a unique QR code and initial PIN for each worker.
These QR codes can be printed (for example, on badge labels or lanyards) and handed out to employees. If workers forget their badge, admins can create a short-lived “temporary” QR code that expires in hours.
Each step of the sign-in is straightforward:
-
Enable and Assign: The IT admin turns on the QR code auth method in Entra ID’s Authentication Methods policy and adds the frontline users or group.
-
Distribute Codes: Using the Microsoft Entra admin center or the My Staff portal, the admin generates and prints each user’s QR code and initial PIN. Workers receive the code (for example, on a badge) and a temporary PIN.
-
Scan and Sign In: A worker opens a shared app or the browser sign-in on a mobile device (Android or iOS) and taps “Sign in with QR code”. The device camera activates; the user holds their badge so the app scans the QR code. The user is then prompted to enter their personal PIN (they set this on first use). Upon correct entry, the user is authenticated into the app under their Entra ID account, all without typing any username or password.
In a nutshell – What QR Code Actually is and Isn’t
Let’s be precise: QR Code Sign-In is not a protocol, and it’s definitely not a new OAuth2 grant type.
What It Is
- A UX wrapper around Microsoft’s standard OAuth 2.0-based login flow
- Built on top of interactive authentication using the Microsoft Authenticator app
- Likely leveraging device-bound Proof of Possession (PoP) tokens
- A front-end trigger for Microsoft-managed OAuth session establishment on a trusted device
What It’s Not
| Concept | Is it? | Why |
|---|---|---|
| OAuth2 Grant Type | ❌ | No such thing as grant_type=qr_code.This isn’t part of the OAuth spec or Microsoft extensions |
| New Authentication Protocol | ❌ | It doesn’t define new wire formats, tokens, or auth server behaviors. |
| API-Driven Flow | ❌ | There’s no public Graph API or REST endpoint to manage QR login flows directly. |
Behind the Scenes
The new QR Code authentication method may look simple to the user. It should be scanned, entered PIN, and done. Still, under the hood, it introduces a secure, conditional, and extensible login flow tailored for shared-device environments. Here’s what’s going on in the background:
The QR Code is a Login Hint
Each printed QR code represents a unique identifier bound to a specific Entra ID user object. This is not a bearer token and doesn’t grant direct access. Instead:
-
The QR contains a special login_hint=qr:[UserId] or a secure identifier tied to the user.
-
The device scanning it interprets this as the user’s identity reference, similar to pre-populating a login field.
-
It reduces friction, especially when the username is long
PIN = Knowledge Factor + Session Unlock
Once the QR is scanned, the user must enter a PIN. This PIN:
-
It is not stored in plain text; it’s hashed and stored securely in Entra ID as part of the QR authentication method.
-
It functions as a second factor during login—a “something you know” paired with “something you have” (the QR).
-
It is scoped per user. Admins can enforce re-PIN setup, PIN policies (length, rotation), and re-auth intervals.
Token Issuance Follows OAuth2 Standards
After validating the QR and PIN combo, the authentication flow proceeds as follows:
-
The Entra ID platform validates the user binding and verifies the entered PIN.
-
A Primary Refresh Token (PRT) is issued if the device supports shared device mode.
-
Access tokens (optionally ID tokens) are generated based on the target app and Conditional Access outcomes.
This flow aligns with standard OAuth2 protocols, meaning it’s fully compatible with the broader Microsoft Identity Platform.
No Device Binding Required
Unlike FIDO2 or Authenticator app methods, the QR code is not tied to a specific device:
-
This makes it perfect for shared Android tablets in frontline scenarios.
-
Devices don’t need to be enrolled or managed in Intune, but pairing QR sign-in with Shared Device Mode and Edge Work Profiles is recommended.
Because the QR is only a hint:
-
Stealing a QR doesn’t instantly grant access
-
But… it identifies a target account, and combined with a known or guessed PIN, can be exploited
-
No anti-replay mechanism exists in the QR itself, so it can be cloned unless rotated or revoked
-
It bypasses username prompts, reducing friction, but also removes one visibility point
Configure QR Code via PowerShell
This PowerShell script uses the Microsoft Graph API (beta) to enable the QR code authentication method in Microsoft Entra ID for targeted user groups.
The QR code method allows users to sign in using a printed or digital QR code and a PIN, simplifying the login experience on shared devices, especially for frontline workers in retail, healthcare, manufacturing, and similar environments.
PowerShell Setup: Enable QR Code Sign-In via Microsoft Graph API
The script Enable QR Code PIN Auth Method via Graph API.ps1
This is how it looks in the Authentication Methods | Policies.
PowerShell Script: Add Standard QR Code Authentication Method via Graph API
This PowerShell script uses the Microsoft Graph beta API to provide a standard QR code authentication method for a specified user in Microsoft Entra ID. It authenticates via an app registration (client credentials flow), builds the required payload with a configurable start and expiration time, and assigns a secure PIN tied to the user’s QR code login experience.
Once executed, the user will have the QR code method pre-provisioned and can complete registration via the Entra security portal (e.g., https://aka.ms/mysecurityinfo). However, the method will remain non-usable until the user scans the QR code and finalizes setup.
Once the script is configured, you can validate the configuration of the Entra ID user using the authentication method.
QR Code PIN Authentication Enablement: User vs Group via PowerShell
This comparison intends to provide the differences between enabling from PowerShell only. Not other feature comparisons.
While group-based enablement is ideal for scalable policy enforcement and ensuring users are prompted to register QR code sign-in during authentication, it doesn’t allow preconfiguring user-specific PINs or expiration timelines. On the other hand, user-based provisioning offers entire control over QR code attributes but lacks built-in enforcement or delegated support.
In practice, many organizations use both approaches:
-
Group enablement for enforcing QR registration across frontline or shared device roles
-
Per-user enablement to pre-provision QR code credentials for key identities, pilots, or automation flows
| Feature / Capability | Group Enablement | User Enablement |
|---|---|---|
| API Endpoint | PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/qrCodePin |
PUT /users/{id}/authentication/ |
| Target Scope | Entire group | Single user |
| Permissions Required | Policy.ReadWrite.AuthenticationMethod(delegated support) |
AuthenticationMethod.ReadWrite.All(application only) |
| Supports Delegated Login (Connect-MgGraph) | Yes | No |
| Supports App-only Authentication | Yes | Yes (required) |
| Ideal For | Org-wide rollouts, enforcement via policy | Pre-provisioning, pilot users, and admin-level use cases |
| Enforced During Sign-in | Yes (registration campaign applies) | No (does not trigger registration prompt) |
| Can Configure PIN Length and Expiration | Yes | Yes |
| Centralized Auditing | Yes (via group membership) | No (requires per-user tracking) |
| Scales Across Large User Sets | Yes | No (requires automation per user) |
| Compatible with Conditional Access | Yes | No |
“Non-Usable Authentication Methods” in Microsoft Entra ID
When configuring passwordless or strong authentication at scale in Microsoft Entra ID, you’ll often encounter a user state labeled “Non-Usable Authentication Methods.” This status appears in the Entra admin portal under each user’s authentication settings, and it has real operational implications.
What Does “Non-Usable” Actually Mean?
A method is classified as non-usable when it has been provisioned but not completed by the user. This typically happens when:
-
The technique was assigned via Graph API (e.g., QR code PIN, FIDO2).
-
The user has not completed registration (e.g., hasn’t scanned the QR code or used the PIN)
-
The method has a future
startDateTimeor an expiredexpireDateTime. -
The method was configured in the backend, but never activated interactively.
These methods exist but cannot be used for authentication until the user finishes setup.
The Security Gaps
QR code authentication in Microsoft Entra ID was designed to solve a real problem: Fast, secure-ish sign-in for frontline workers on shared devices. And yes, from a usability standpoint, it’s a game changer. But from a security research perspective, it’s a new attack surface… and I’ve found more than 10 ways to bypass or abuse it in testing, including bypassing GSA.
Note: I will share an attack technique in the next blog post.
What We Found in Real-World Security Testing:
Bypassing Conditional Access — under specific device/browser conditions, CA signals are skipped or not evaluated as expected.
Identity spoofing via QR clone + PIN — no certificate, proof-of-device, or per-session trust.
Silent token issuance behind the scenes — including PRTs, without meaningful telemetry.
Evading risk-based access — login method appears low-risk by default; attacker gains foothold.
No phishing resistance — attacker can fake the login flow and relay credentials in real-time.
Session persistence on unmanaged devices — tokens remain usable even after revoking the badge.
QR code sign-in is not currently compatible with Conditional Access policies that require device-based conditions.
Translation? You’ve just created a login method that:
- Doesn’t enforce Intune compliance
- Doesn’t require Hybrid Azure AD Join
- Doesn’t check device state
- May not honor location-based policies
So while your CA policies defend traditional logins with ironclad rules, QR code sign-in passes them.
Additional Security Gaps
- Lack of fine-grained telemetry: QR code logins appear as normal interactive logins, making them harder to isolate in SIEM/XDR tools.
- Unrestricted entry points: Any device capable of generating a QR login screen can be abused without endpoint verification.
- Token issuance visibility: There’s limited insight into how PoP tokens are scoped and tied to devices during QR auth.
- Inconsistent auditing: The session origination is from the mobile device, but access is granted on a separate device, creating challenges in identity correlation.
Attackers Perspective
QR + PIN = Single-Factor Authentication (SFA)
Gap: If Conditional Access Policy (CAP) isn’t enforced, a badge and PIN is all you need.
Risk: Stolen badge + observed PIN = instant, undetected login.
Why it matters:
-
QR code auth is not FIDO2 or Authenticator-based MFA.
-
It’s only something you have (QR) + something you know (PIN).
-
If you don’t enforce CA to require compliant devices, known locations, or strong auth for sensitive apps, an attacker with physical access can walk right in.
Exploitation scenario:
-
Attacker gets badge (photo, clone, stolen).
-
Shoulder-surf or guess the PIN.
-
Opens Teams on a phone, scans QR, and enters PIN.
-
Instant access to corporate data with no MFA challenge.
QR on Physical Medium
Gap: The QR code is printed and static — unless revoked by admin.
Risk: Anyone who sees it can copy it. There’s no device binding.
Why it matters:
-
It’s not like a TOTP or FIDO2 key that rotates or is cryptographically bound.
-
Once printed, anyone with the QR can initiate login as that user.
-
It works from any device, anywhere, unless constrained by Conditional Access.
Exploitation scenario:
-
QR is printed on a badge, left on a desk, and shared across shifts.
-
A photo of the QR is taken and used later from a non-corporate device.
-
Unless the QR method is reset, that identity can be spoofed indefinitely.
No Biometrics or Phishing Resistance
Gap: No fingerprint, no face unlock, no phishing resistance. Just scan and type.
Risk: Bad actors can replicate the flow exactly, phish the PIN, or create fake portals.
Why it matters:
-
Unlike the Authenticator app (which uses push approval + device binding), this flow has:
-
No app attestation
-
No cryptographic challenge
-
No phishing detection
-
-
An attacker can literally:
-
Create a fake QR login screen
-
Ask the user to scan & enter PIN
-
Replay those inputs via the real Microsoft login flow
-
Exploitation scenario:
-
The user sees a fake device or a web login prompting a QR code scan.
-
They scan their real badge and type the PIN.
-
The attacker relays this to Entra ID in real time (man-in-the-browser style).
No Session Timeout / Lock by Default
Gap: If not configured, shared device sessions stay open way too long.
Risk: A user logs in, walks away, and the next person has full access.
Why it matters:
-
QR login ≠ session-aware logout.
-
Microsoft does not auto-logout based on QR usage.
-
Unless you’re using:
-
Shared Device Mode (Android)
-
App idle timeout policies
-
CA sign-in frequency controls
-
…you’re leaving accounts active and exposed.
Exploitation scenario:
-
The user logs in with a QR code.
-
Leaves the tablet unattended.
-
Attacker walks up X minutes later — still signed in.
TL;DR
QR code sign-in is fast, modern, and built for speed, but security controls are not entirely in place.
You must:
- Manually scope it to secure groups
- Log it via sign-in logs and conditional access insights
- Threat model the flow in your Zero Trust strategy
- Monitor usage for shadow access or kiosk abuse
QR Code Login is not MFA, phishing-resistant, or resilient against physical cloning. It’s a low-friction auth flow designed for retail and warehouse workers who just want to open Teams quickly, and that’s fine. But don’t confuse “fast” with “secure.”
More Resources
- Authentication methods in Microsoft Entra ID – QR code authentication method (Preview)
- How to enable the QR code authentication method in Microsoft Entra ID (Preview)
- Step-by-Step Guide : How to enable QR code authentication for Microsoft Entra ID (Preview)?
- Simplify frontline workers’ sign-in experience with QR code authentication
- Entra ID blog posts
