🛡️ Microsoft Entra ID Device Code Authentication Flow is not restricted🟢⚪

• Contextual name: 🛡️ Device Code Authentication Flow is not restricted🟢⚪
• ID: /ce/ca/azure/microsoft-entra-id/device-code-authentication-flow
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Description

Open File

Description

Conditional Access Policies can be used to prevent the device code authentication flow. Device code flow should be permitted only for users who regularly perform duties that explicitly require the use of device code to authenticate, such as using Azure with PowerShell.

Rationale

Attackers use device code flow in phishing attacks and, if successful, can gain access and refresh tokens scoped to user_impersonation, which can perform any action the user has permission to perform.

Impact

Microsoft Entra ID P1 or P2 is required.

This policy should be tested using the Report-only mode before implementation. Without a full and careful understanding of the accounts and personnel who require Device code authentication flow, implementing this policy can block authentication for users and devices who rely on Device code flow. For users and devices that rely on device code flow authentication, more secure alternatives should be implemented wherever possible.

Audit

From Azure Portal

1. In the Azure portal, open the portal menu in the upper left and select Microsoft Entra ID.

... see more

Remediation

Open File

Remediation

From Azure Portal

Part 1 of 2 - Create the policy and enable it in Report-only mode

1. In the Azure portal, open the portal menu in the upper left and select Microsoft Entra ID.
2. Scroll down in the menu on the left and select Security.
3. On the left, select Conditional Access.
4. Select Policies.
5. Click the + New policy button, then:
6. Provide a name for the policy.
7. Under Assignments, select Users, then:
   • Under Include, select All users.
   • Under Exclude, check Users and groups and only select emergency access accounts.
8. Under Assignments, select Target resources, then:
   • Under Include, select All cloud apps.
   • Leave Exclude blank unless you have a well-defined exception.
9. Under Conditions > Authentication Flows, set Configure to Yes, then:
   • Select Device code flow.
   • Select Done.
10. Under Access Controls > Grant, select Block Access.
11. Set Enable policy to Report-only.
12. Click Create.

Allow some time to pass to ensure the sign-in logs capture relevant conditional access events. These events will need to be reviewed to determine if additional considerations are necessary for your organization (e.g. many legitimate use cases of device code authentication are observed).

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 5.2.3 Ensure that an exclusionary device code flow policy is considered (Manual)			1		no data
💼 Cloudaware Framework → 💼 General Access Controls			12		no data