Tablet showing a QR code for sign‑in on Android shared devices using Microsoft Entra, with a futuristic enterprise interface background
Posted inAndroid Enterprise Microsoft Entra ID Microsoft Intune

Seamless Access: Using QR Code Sign‑In on Android Enterprise Shared Devices with Microsoft Entra

Android Enterprise Shared devices are everywhere and found in various settings, including warehouses, retail floors, healthcare institutions, and educational facilities. While Android Enterprise has significantly improved the way we manage these devices, user authentication often remains a point of friction. Shared credentials, forgotten passwords, slow sign-ins, and support overhead can quickly turn a well-managed device into a daily frustration for both users and IT.

That’s where QR Code and PIN Authentication in Microsoft Entra comes in. By enabling this option in Microsoft Entra and in the Managed Home Screen, you’ll allow users to sign in simply by scanning a QR code and entering a PIN code. Organizations can remove the complexity of traditional username and password authentication, while still maintaining strong security and identity-based access through Microsoft Entra ID and Intune. The result is a faster, more intuitive sign-in experience that fits perfectly into high‑rotation or task-based environments.

Frontline worker wearing a safety helmet scans a QR code on his ID badge with a tablet to sign in to an Android Enterprise shared device using Microsoft Entra Shared Device Mode.

In this blog post, we’ll take a closer look at how QR code login works on Android Enterprise Shared Devices, and why it can be a game-changer for organizations that rely on shared hardware.

Microsoft Entra

Create a user group

The first thing we’re going to do is create a user group that we’ll use to enable the QR code authentication method for a specific group.

Go to Microsoft Entra admin center | Entra ID | Groups and choose New group.

Create a group with the following information:

  • Group type: Security
  • Group name: SEC – USR – Authentication Method Enabling QR code
  • Group description: Members in this group will have the Authentication Method QR code enabled for their Entra user
  • Microsoft Entra roles can be assigned to this group: No
  • Membership type: Assigned

Add an Owner, and also add the users for whom you want to enable the QR code option, and choose Create.

The next step is to enable the QR code as an authentication method for the group mentioned above.

Enabling the QR code Authentication Method

Go to the Microsoft Entra admin center | Entra ID | Authentication methods, and you’ll notice that the QR code method isn’t enabled by default.

Now let’s enable this method. Choose QR code, set the toggle to Enable, and select Select groups. Add our previously created group and choose Save.

Now that we’ve enabled the QR code method for our specific group, we need to generate one for our user as well.

Generate a QR code for the user

Go to Microsoft Entra admin center | Entra ID | Users, then choose your specific user and go to Authentication methods. Then choose Add authentication method, and you’ll notice that the QR code option is available now.

Now choose QR code and set the following, and then choose Add.

  • Choose method: QR code
  • Expiration: Choose a date when the QR code needs to expire
  • Activation time: Now
  • PIN: choose a PIN code or let it generate one for you

Once you’ve chosen Add, a QR code will be created and shown on the screen. Make sure to download the image of the QR code, because once you close the screen, you’ll need to create a new one.

Now that we have activated the QR code for our user, we need an Android Enterprise Shared Device to test logging in with the QR code and PIN on our device.

Microsoft Intune

Before we can start testing, we need an Android Enterprise Shared Device. In this blogpost I won’t go into complete detail on how to configure and enroll an Android Enterprise device in Shared Entra mode. For this part, I would like to refer to my previous post on Android Enterprise Shared Devices here.

App Configuration Policy

Go to the Microsoft Intune admin center | Apps | Android | Manage apps | Configuration and choose Create and go for Managed Devices

Create an App configuration with the following, and then choose Next

  • Name: AND – DVC – Shared – Enable QR code Authentication
  • Description: This app configuration will activate QR code authentication in the Microsoft Authenticator app for Android
  • Device enrollment type: Managed devices
  • Platform: Android Enterprise
  • Profile type: Fully Managed, Dedicated, and Corporate-Owned Work Profile Only
  • Targeted app: Microsoft Authenticator

In the Settings part, set Configuration settings format as Use configuration designer, and then choose +Add. Then choose the Preferred authentication configuration setting and choose OK.

In the configuration value, fill in the following: and choose Next:

  • Configuration key: Preferred authentication setting
  • Value type: string
  • Configuration value: qrpin

In the Assignments part, choose the device group you’ve chosen for your device enrollment for QR code enablement and choose Next.

Review your settings and choose Create.

Your app configuration is created. Now that our device configuration is ready, let’s see what this means on our device from the end-user perspective.

End-User Experience

When we boot up our Android Enterprise Shared Device, we see the option to sign in using a QR code via the button Scan QR Code. Now choose Scan QR Code

Now choose Scan QR Code, and you’ll be directed to a login page that says Sign in with a QR Code, scan the QR code of the user.

Enter the PIN code associated with the user account. If this is the first time the user uses a PIN code, they will be asked to change the PIN code. Then choose Sign in.

Once you’ve signed in, you’ll be redirected to the main screen of your Android Enterprise Shared Device and ready to go.

Error: Incorrect QR code

During this setup, I encountered the following error when testing with a newly created user. I received the following message: Incorrect QR code after scanning the user’s QR Code.

The reason was that this user was still having it’s default generated password and didn’t have the Microsoft Authenticator registered yet. So if you have a new user, let the user first log in on a computer, and let them register the Microsoft Authenticator app and change their password. After that, the QR code login worked like a charm.

Conclusion

Configuring QR code sign‑in for Android Enterprise Shared Devices provides a fast, secure, and user‑friendly authentication method that is ideally suited for Frontline workers. By integrating QR code authentication with Microsoft Entra Shared Device Mode and Microsoft Intune, users can quickly access shared devices without entering credentials, while IT maintains strong identity protection and centralized control. Sessions are automatically cleaned up after sign‑out, ensuring privacy and compliance and reducing risks associated with shared passwords or credential exposure. Overall, QR code sign‑in improves productivity, reduces login friction, and delivers a secure, zero–trust–aligned experience for both Frontline users and IT teams managing shared Android Enterprise environments.