📝 Microsoft Entra ID Device Code Authentication Flow is not restricted 🟢

• Contextual name: 📝 Device Code Authentication Flow is not restricted 🟢
• ID: /ce/ca/azure/microsoft-entra-id/device-code-authentication-flow
• Located in: 📁 Microsoft Entra ID

Flags

• 🟢 Impossible policy
• 🟢 Policy with categories
• 🟢 Policy with type

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Description

Open File

Description

Conditional Access Policies can be used to prevent the Device code authentication flow. Device code flow should be permitted only for users that regularly perform duties that explicitly require the use of Device Code to authenticate, such as utilizing Azure with PowerShell.

Rationale

Attackers use Device code flow in phishing attacks and, if successful, results in the attacker gaining access tokens and refresh tokens which are scoped to "user_impersonation", which can perform any action the user has permission to perform.

Impact

Microsoft Entra ID P1 or P2 is required.

This policy should be tested using the Report-only mode before implementation. Without a full and careful understanding of the accounts and personnel who require Device code authentication flow, implementing this policy can block authentication for users and devices who rely on Device code flow. For users and devices that rely on device code flow authentication, more secure alternatives should be implemented wherever possible.

Audit

... see more

Remediation

Open File

Remediation

From Azure Portal

Part 1 of 2 - Create the policy and enable it in Report-only mode

1. From Azure Home open the portal menu in the top left and select Microsoft Entra ID.
2. Scroll down in the menu on the left and select Security.
3. Select on the left side Conditional Access.
4. Select Policies.
5. Click the + New policy button, then:
6. Provide a name for the policy.
7. Under Assignments, select Users then:
   • Under Include, select All users.
   • Under Exclude, check Users and groups and only select emergency access accounts.
8. Under Assignments, select Target resources then:
   • Under Include, select All cloud apps.
   • Leave Exclude blank unless you have a well defined exception.
9. Under Conditions > Authentication Flows, set Configure to Yes then:
   • Select Device code flow.
   • Select Done.
10. Under Access Controls > Grant, select Block Access.
11. Set Enable policy to Report-only.
12. Click Create.

Allow some time to pass to ensure the sign-in logs capture relevant conditional access events. These events will need to be reviewed to determine if additional considerations are necessary for your organization (e.g. many legitimate use cases of device code authentication are observed).

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS Azure v3.0.0 → 💼 2.2.3 Ensure that an exclusionary Device code flow policy is considered (Manual)			1
💼 Cloudaware Framework → 💼 General Access Controls			10