I had the pleasure of staffing the Microsoft Entra stand at the 2025 Microsoft Ignite conference. 17,000 people and the ability for anyone to come and ask their Entra questions and we got lots. It was fun.
One of the questions asked was by a gentleman who had users on a factory floor and who wanted to sign them into their specific applications using a QR Code rather than username/password/MFA. I had not looked at this feature and some of the other settings that could work with it, so I thought I would look now and answer the question by way of a blog post. Here we will look at setting up QR Code sign in for our frontline workers (factory, shop floor etc) where we have a QR Code on the users identification badge and their own PIN for login.
Once you have a group and added your users to it, you can allow this group to use QR Code as a sign in method. As these users should only be signing in from your factory or shop floor, you should also use Conditional Access policies to block login from outside of your public IP ranges. These two configurations are done in the Entra Admin Centre https://entra.microsoft.com.
Under the “Configure” option you can set the end user PIN length (defaults to the minimum of 8) and the PIN lifetime duration, set to 1 year by default.
For each user in your group, visit the Users page and the Authentication Methods section. From here add a QR Code authentication method:
You are now shown the QR Code for this user. You need to download this now as you cannot get it again. If you need the code later you need to generate a new one and download that one.
Note that you can also add a temporary QR Code via editing the existing QR Code authentication method on the user should they have forgotten to bring their current QR Code with them for that day. Temporary QR Codes have a lifetime of 3 hours by default and up to 12 hours.
The QR code that you obtain when adding this authentication method to a user needs to be available for the user to scan to login. For example, this QR code could be added to their ID badge. In the scenario of a shared login for a specific device, the QR code could be printed out next to the device.
Once the user is ready to login, they need to scan the QR Code for their account or the shared account in the above scenario and enter their PIN number. This is all that is needed to complete authentication.
To scan the QR Code you follow these steps at the standard Entra ID login page.
- User selects Sign-In options
- Select Sign in to an organization
- Finally, select Sign in with a QR code (this might be hidden by your phone keyboard!)
There is a way to speed this up in your own application when using the MSAL library (AcquireTokenParameters/PreferredAuthMethod = PreferredAuthMethod.QR).
This looks as follows:
Once you select Sign in with a QR code you may see a camera consent prompt. This can be removed with MSAL code in the application, but once you allow the use of the camera you can scan your QR code, for example on the ID badge as shown below:
Note that if you enable QR code authentication for a user, they need to sign-in with an existing authentication method before they can sign in with a QR code for the first time, or they see an Incorrect QR code error. This is listed as a Known Issue on the Entra ID documentation for QR code sign-in.
Once you scan the QR code you need to enter your PIN. If this is the first login using that PIN you need to change it. Both of these are shown below:
You now get access to the applications you need, all without a password!
Photo by Pixabay: https://www.pexels.com/photo/qr-code-on-screengrab-278430/
Leave a Reply