Login with a QR code in Outlook Mobile (for Entra ID accounts)

In August 2021, Microsoft paused and rolled back the Outlook login with a QR code for Entra ID accounts. Personal Microsoft accounts were not affected.

As of August 2021, this experience has been put on hold indefinitely for commercial and enterprise users due to organizations’ lack of control over them. The work involved in providing these controls is extensive and the Identity team continues to work on them. We rolled back this feature for commercial and enterprise users since we wanted to provide more security and customization for all the different cases they managed.

QR code login for Entra ID accounts should be available again for Outlook Mobile until November 2024.

Outlook on the web and the new Outlook for Windows include a new “Outlook Mobile” option in the ribbon bar under Help. Microsoft would like to use this to simplify logging into Outlook Mobile.

QR-Code Anmeldung in Outlook im Web
QR code login in Outlook on the web

Entra ID accounts do not have to enter account names or passwords in Outlook Mobile with the simpler method. Users do their login steps on a PC and then simply scan a QR code with Outlook Mobile.


Use QR code login with Entra ID accounts

If the rollout has been completed and the option is enabled for your account, you will find the option for Outlook Mobile in Outlook on the web and in the new Outlook for Windows under Help.

QR-Code Anmeldung starten
Start QR code login

Complete the sign-in steps on your PC (user name + authentication). At the end Outlook will show you a QR code.

QR-Code Anmeldung in Outlook
QR code login in Outlook

In the Outlook Mobile app, add a new email account, select the option to scan a QR code, and follow the next steps. Outlook adds the account to the app.

Neues Konto über QR-Code hinzufügen
Add new account via QR code

Disable QR code login for Entra ID accounts
(in Exchange Online)

Exchange administrators can disable the QR code login option via an OWA policy. By default the property AccountTransferEnabled is active.

This feature is on by default but you can turn it off by setting the Set-OWAMailboxPolicy command, AccountTransferEnabled to false. Users that have already used this feature won’t be signed out.

PowerShell
PowerShell
Connect-ExchangeOnline
Get-OwaMailboxPolicy | select Identity,AccountTransferEnabled | fl # Get the state for all OWA policies

# Change the state for the global policy
Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AccountTransferEnabled $false 


The change to the OWA policy can take up to 8 hours.
The “Outlook Mobile” option is hidden in Outlook. It is no longer available for the account.


Disable QR code login for Entra ID accounts
(with Conditional Access Policy)

Microsoft refers to the possibility of restricting Authentication Transfer via a Conditional Access Policy.

You can create a new CA policy and select the following options:

  • Target resources: All cloud apps
    According to the sign-in logs, the resource “Office 365 Exchange Online” should be sufficient. At the moment, however, it does not block the option for QR code with the resource. With this selection, the Outlook app only signals that the QR code is invalid. With “All cloud apps” it blocks the possibility for QR code.
  • Conditions > Authentication flows > enable Authentication transfer
  • Access control > Grant > Block access
Conditional Access Policy
Conditional Access Policy

If users now select the option for “Outlook Mobile”, the policy blocks the possibility. The option for Outlook Mobile is not hidden via the CA policy.

Update from 28 September 2024:
The rollout has been canceled and will not be continued at the moment.

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with around ten years of professional experience with Microsoft 365 products such as SharePoint Online, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *