Block Device Code Flow Authentication [CHK-1172]
This check verifies if Device Code Flow authentication is blocked through Conditional Access policies.
Rationale
Device Code Flow authentication allows devices where traditional authentication doesn't work, such as Smart TVs and IoT devices, to sign in to Microsoft 365. However, this feature can be exploited by cybercriminals to gain and/or maintain access to an account.
Fix
An automated fix is available through Attic.
Manual steps:
- Navigate to the Entra admin center at https://entra.microsoft.com
- Go to Protection > Conditional Access > Policies
- Click New Policy
- Under Assignments, select Users or workload identities > Include > All users
- Under Target resources > Resources (formerly cloud apps) > Include, select All resources
- Under Conditions > Authentication flows, set Configure to Yes and select Device code flow
- Under Access controls > Grant, select Block access
- Confirm the settings and set Enable Policy to Report-Only
- Click Create to enable the policy
Impact
Blocking Device Code Flow authentication reduces the risk of phishing attacks and potential account compromise.