Blocking Authentication Transfer in Microsoft Entra ID

Field 
 
 
 Details 
 
 
 
 
 Document Type 
 
 
 Blocking Authentication Transfer in Microsoft Entra ID 
 
 
 
 
 Applies To 
 
 
 Microsoft Entra ID, Conditional Access policy 
 
 
 
 
 Audience 
 
 
 2nd Line / Entra ID Admins / IT Engineer 
 
 
 
 
 Author 
 
 
 AK. Udofeh 
 
 
 
 
 Last Updated 
 
 
 April 2026 
 
 
 
 
 Overview 
 Authentication Transfer allows a user to authenticate on one device and transfer that session to another (e.g. scanning a QR code to sign into a mobile app). 
 While convenient, it introduces risks where authentication can be extended to unmanaged or untrusted devices. 
 This guide shows how to restrict or block this behaviour using Conditional Access. 
 Prerequisites 
 
 Microsoft Entra ID P1 (or higher) 
 Conditional Access Administrator role 
 Identified exclusion accounts (break-glass) 
 
 Step 1: Access Conditional Access Policies 
 
 Sign in to the Microsoft Entra admin center 
 Navigate to: Entra ID > Conditional Access > Policies 
 Select + New policy 
 
 Step 2: Define Policy Scope 
 Users 
 
 Include:
 
 All users OR specific groups 
 
 
 Exclude:
 
 Emergency / break-glass accounts 
 
 
 
 Exclusions should be tightly controlled and reviewed regularly 
 Step 3: Target Resources 
 
 Select: Target resources (Cloud apps) 
 Include:
 
 All resources or specific applications 
 
 
 
 Step 4:  Configure Authentication Flow Condition 
 
 Navigate to: Conditions > Authentication Flows 
 Set Configure = Yes 
 Select:
 
 Authentication Transfer 
 
 
 Click Done 
 
 Step 5: Block Access 
 
 Go to: Access Controls > Grant 
 Select:
 
 Block access 
 
 
 Click Select 
 
 Step 6: Enable Policy 
 
 Set policy state to: On 
 Click Create 
 
 Step 7: Validate Behaviour 
 
 Test scenarios:
 
 QR-based login 
 Cross-device sign-in flows 
 
 
 Review:
 
 Sign-in logs 
 Conditional Access results 
 
 
 
 Important Considerations 
 Blocking Authentication Transfer may impact: 
 
 Mobile app onboarding flows 
 QR code-based sign-ins 
 Cross-device authentication experiences 
 
 This feature is enabled by default and must be explicitly controlled via policy 
 Best Practices 
 
 Apply to high-risk user groups first 
 Consider restricting instead of fully blocking where needed 
 Combine with:
 
 Device compliance policies 
 MFA enforcement 
 
 
 
 Summary 
 Blocking Authentication Transfer prevents authentication from being silently extended across devices, reducing the risk of unauthorized access from unmanaged endpoints. 
 This ensures authentication remains tied to trusted and controlled environments.