Step-by-Step Guide : How to enable QR code authentication for Microsoft Entra ID (Preview) ?
Microsoft Entra ID supports a long list of Authentication methods. Windows Hello for Business Microsoft Authenticator app Authenticator Lite Passkey (FIDO2) Certificate-based authentication Hardware OATH tokens (preview) Software OATH tokens External authentication methods (preview) Temporary Access Pass (TAP) Short Message Service (SMS) sign-in and verification Voice call verification Password This enables organizations to select the most secure and productive authentication methods for their business. While the most secure method may not always be the most productive, and vice versa, having a variety of supported authentication methods helps to strike a balance between these two aspects. Microsoft Entra ID now supports QR authentication, a method specifically designed for frontline workers who use shared devices. This provides a convenient and secure login experience for these workers. How it works ? 1) An account with Authentication Policy Administrator permission or higher can enable QR code as an authentication method. 2) Once the method is enabled, a QR code and temporary PIN can be generated for the user. 3) The QR code should be made available to the user. It can be downloaded, printed, or added to a badge. 4) The QR code is unique but cannot be used without the PIN. 5) The temporary PIN must be reset when the user authenticates for the first time. 6) Once the QR code and PIN are set up, the user can use them for subsequent logins. Things to remember ! 1) QR authentication is designed for frontline workers and should not be widely used. Phishing-resistant authentication is recommended wherever possible. 2) Do not enable this authentication method for all users; only enable it for required users. 3) QR authentication is currently only supported on mobile devices running iOS/iPadOS or Android. 4) QR authentication does not allow self-service PIN reset for users. In this blog post I am going to demonstrate how to configure QR authentication for the Microsoft Entra ID users. Let’s start with enabling authentication method. Log in to the Entra admin portal at https://entra.microsoft.com/as an Authentication Policy Administrator or higher. Navigate to Protection | Authentication Methods. Under Policies, click on QR code (Preview). In the QR code (Preview) settings page, click on Enable to turn on the authentication method. Then, select the relevant user group as the target. Click on the Configure tab. Here, you can adjust the PIN length and the lifetime of the QR code. The default is 365 days, but it can be extended up to 395 days. Once changes are made, click on Save to apply them. This enables the QR code as an authentication method for the tenant. Next, let's see how to generate a QR code for a user. Generate QR code authentication for a user To generate QR code for user, Navigate to Users | All users. Select the user from the target group configured in the previous section. Click on Authentication methods. Click on + Add authentication method. From the dropdown, select QR code (Preview). In the settings page, define the expiration date and activation time. Click on Generate PIN to create a temporary PIN. Note down the PIN and click on Add. This will generate the QR code. Download it for use with authentication. Now that we have generated a QR code for a user, let's proceed with some testing. Testing For testing, I used an iOS device to log in to the office portal. On the login page, I typed the username and then clicked on Sign-in options. In the Sign-in options page, I selected Sign in to an organization. On the next page, I chose Sign in with QR code. I clicked on Allow to grant access to the camera. After that, I scanned the QR code downloaded in the previous step. Once the QR code was successfully detected, I entered the temporary PIN that was generated and clicked on Sign in. On the next page, I was prompted to define a new PIN since this was the first login. After defining the PIN, I clicked on Sign in. As expected, I was able to log in successfully. This marks the end of the blog post, and I believe you now have a better understanding of how to enable and use QR code for authentication.Seamless and Secure Access to Digital Healthcare Records with Microsoft Entra Suite
Healthcare professionals who dedicate their skills to saving lives must also manage operational and safety challenges inherent to their roles. If you’re in charge of cybersecurity for a healthcare organization, you’re intimately familiar with the need to comply with government healthcare regulations that, for example, require securing access to systems that house patient health information (PHI), are used for overseeing controlled substances, or are necessary to enable the secure consumption of AI. Every year, hundreds of U.S. healthcare institutions fall victim to ransomware attacks, resulting in network closures and critical systems going offline, not to mention delayed medical operations and appointments.[i] Sensitive healthcare systems are very attractive targets for cyberattacks and internal misuse. Many cybercriminals gain initial access by compromising identities. Thus, the first line of defense against bad actors, whether internal or external, is to protect identities and to closely govern access permissions based on Zero Trust principles: Verify explicitly. Confirm that the individual signing into a system used to electronically prescribe controlled substances is actually the care provider they say they are. Use least privilege access. Limit a care giver’s access to systems they need to use for their job Assume breach. Discover unauthorized access and block it before an adversary can deploy ransomware. This blog is the first in a series of how Microsoft Entra Suite and the power of cloud-based security tools can protect access to sensitive healthcare assets while improving the user experience for care teams and staff. On-premises healthcare applications and cloud-based security Some of the most widely adopted healthcare applications, such as electronic health records (EHRs), began decades ago as on-premises solutions that used LDAP (Lightweight Directory Access Protocol) and Active Directory to authenticate users. As enterprises shifted from on-premises networks protected by firewalls at the network perimeter to hybrid environments that enabled “anytime, anywhere access,” these solutions became vulnerable to attackers who gained unauthorized access to hospital networks via the Internet. Cloud-based security tools introduced advantages such as centralized visibility and control, continuous monitoring, automated threat detection and response, and advanced threat intelligence based on trillions of security signals. Many existing healthcare applications, however, didn’t support the new protocols necessary to take advantage of all these benefits. Over the past several years, Microsoft has worked closely with software vendors to integrate their applications with our comprehensive identity security platform, Entra ID—which is built on modern open security standards. As a result, many healthcare applications, including the most widely deployed EHR systems, can now benefit from the advanced security capabilities available through Microsoft Entra Suite, including single sign-on (SSO), multifactor authentication (MFA), Conditional Access, Identity Protection, and Network Protection. Securing access to healthcare applications with Microsoft Entra Suite Healthcare organizations can standardize on Microsoft Entra to enable single sign-on (SSO) to their most commonly used Healthcare applications and resources, including the most widely used EHR vendors, whether they’re on-premises or in clouds from Microsoft, Amazon, Google, or Oracle. Care teams, who may use dozens of different applications during their workday, benefit from seamless and secure access to all their resources with Microsoft’s built-in advanced identity and network security controls. Not only does Microsoft Entra offer a holistic view of all users and their access permissions, but it also employs a centralized access policy engine, called Conditional Access, that combines trillions of signals from multiple sources, including identities and devices, to detect anomalous user behavior, assess risk, and make real-time access and data protection decisions that adhere to regulatory mandates and Zero Trust principles. In simple terms, this enables controls that verify who a user is and what device they are using – including when using kiosks, remote, or many-to-one workstations - to decide if it is safe to enable access. This ability to support modern authentication successfully maps the clinicians to their cloud identity and in turn, unlocks powerful user-based models for data protection with Microsoft Purview. With Microsoft Entra, healthcare organizations can enforce MFA at the application level for more granular control. They can strengthen security by requiring phishing-resistant authentication for staff, contractors, and partners, and by evaluating device health before authorizing access to resources. They can even require additional verification steps for IT admins performing sensitive actions. Moreover, Microsoft Entra ID Protection processes a vast array of signals to identify suspicious behaviors that may indicate an identity compromise. It can raise risk levels to trigger risk-based Conditional Access policies that protect users and resources from unauthorized access. For more details about risk detections in Entra ID Protection, visit our documentation. Seamless and secure access for healthcare professionals Integrating applications with Microsoft Entra ID makes it possible for healthcare professionals to work more securely with fewer disruptions when they access medical records and treat patients, even when they’re working offsite, such as at a patient’s home or as part of a mobile medical unit. Microsoft Entra supports the strict protocols for electronic prescribing of controlled substances (EPCS). The EPCS mandate requires that healthcare providers authenticate their identities before they can prescribe controlled substances electronically. This means that each provider must have a unique user identity that can be verified through secure methods such as Multi-Factor Authentication (MFA). This helps prevent unauthorized access and ensures that only authorized individuals can issue prescriptions. The Health Insurance Portability and Accountability Act (HIPAA) also has specific obligations for access and identity to ensure the security and privacy of protected health information (PHI). Microsoft Entra Suite has a variety of controls to help meet these obligations that we will explore in additional blogs. Phishing-resistant authentication methods, which rely on biometrics and hardware tokens, significantly reduce the risk of unauthorized access to sensitive systems and data. These methods, which include passkeys, are practically impossible for cybercriminals to compromise, unlike passwords or SMS-based MFA. By eliminating passwords altogether, healthcare providers can better protect patient data, reduce the risk of violating HIPAA regulations, and prevent cyber and ransomware attacks that could disrupt healthcare operations. You can experience the benefits of Microsoft Entra ID, MFA, Conditional Access, and Entra ID Protection as part of the Microsoft Entra Suite, the industry’s most comprehensive Zero Trust access solution for the workforce. The Microsoft Entra Suite provides everything needed to verify users, prevent overprivileged permissions, improve detections, and enforce granular access controls for all users and resources. Get started with the Microsoft Entra Suite with a free 90-day trial. For additional details, please reach out to your Microsoft Representative. Read more on this topic Electronic Prescriptions for Controlled Substances (EPCS) - Azure Compliance | Microsoft Learn Conditional Access adaptive session lifetime policies - Microsoft Entra ID | Microsoft Learn Overview of Microsoft Entra authentication strength - Microsoft Entra ID | Microsoft Learn Microsoft Entra ID Epic Connector – Edgile Use data connectors to import and archive third-party data in Microsoft 365 | Microsoft Learn Learn more about Microsoft Entra Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds. Microsoft Entra News and Insights | Microsoft Security Blog Microsoft Entra blog | Tech Community Microsoft Entra documentation | Microsoft Learn Microsoft Entra discussions | Microsoft Community [i] Microsoft Corporation. Microsoft Digital Defense Report 2024: The foundations and new frontiers of cybersecurity. p.3. Microsoft, October 2024.
