When Microsoft first introduced device code flow, it offered developers a clever way to sign in on devices with limited input options—think smart TVs and IoT hardware with no browser. Fast-forward to today, however, and that once-handy flow has become a popular entry point for adversaries who abuse it to bypass defenses such as Multi-Factor Authentication (MFA) prompts or user-risk policies.
That’s why Microsoft now recommends most organizations block or tightly restrict device code flow wherever possible. The good news? You can do exactly that (and more) with Conditional Access (CA) policies in Microsoft Entra. In this post we’ll walk through:
- Why device code flow is risky (and why you should audit it first)
- How to block device code flow in a phased, low-risk manner
- How to block authentication transfer to prevent users from hopping an auth session from desktop to mobile
- Best-practice tips for ongoing monitoring and exception handling
1. Why Device Code Flow Deserves a Second Look
Device code flow trades convenience for control. Instead of the OAuth browser dance we all know, users get a numeric code on the low-capability device, then head to https://microsoft.com/devicelogin on a second device to finish signing in. Attackers love it because:
- No browser context: Browser-based detections (and certain MFA prompts) never fire.
- Less user visibility: End-users often have no visual cue that something fishy is happening.
- Token reuse: Once a refresh token is issued it may be valid on any device, making lateral movement easier.
Unless you have a critical, well-understood use case—say, a legacy smart kiosk you can’t update—there’s rarely a reason to leave this door open.
2. Audit First, Block Second (Report-Only Mode FTW)
Before slamming the door shut, put your policy in Report-only mode to see who will be affected. You’ll catch that one forgotten integration a team spun up three years ago—before your phone lights up.
Step-By-Step: Block Device Code Flow With CA
Baseline: You’re a Conditional Access Administrator in Microsoft Entra.
- Sign in to the Entra admin center → Protection ▸ Conditional Access ▸ Policies.
- Select New policy and give it a clear name such as Block – Device Code Flow.
- Assignments ▸ Users or workload identities
• Include: All users (recommended)
• Exclude: break-glass / emergency accounts (audit this list regularly) - Target resources ▸ Include: All resources (formerly “All cloud apps”).
- Conditions ▸ Authentication Flows → Configure: Yes → Device code flow → Done.
- Access controls ▸ Grant → Block access → Select.
- Enable policy → Report-only (for now) → Create.
Flip the Switch
Once your policy impact reports show no unexpected usage, edit the policy and change Enable policy from Report-only to On. Congratulations—you’ve just neutered a major phishing avenue.
3. Blocking Authentication Transfer (Optional but Powerful)
Authentication transfer lets users move an existing sign-in from one device (e.g., a managed PC) to another (e.g., personal phone) by scanning a QR code. That’s handy—unless your compliance rules forbid corporate mail on BYOD or you simply don’t trust unmanaged endpoints.
Create a second CA policy (or extend the first) to block this flow:
- Protection ▸ Conditional Access → Create new policy (e.g., Block – Auth Transfer).
- Assignments ▸ Users
• Include: desired users/groups
• Exclude: break-glass / emergency accounts - Target resources ▸ Include: All resources (or specific apps like Outlook).
- Conditions ▸ Authentication Flows → Configure: Yes → Authentication transfer → Done.
- Grant → Block access → Select.
- Enable policy: On (this flow is less commonly used, so you can usually enable immediately).
4. Ongoing Care and Feeding
| Task | Frequency | Why it Matters |
|---|---|---|
| Review CA sign-in logs for matching device-code or auth-transfer events | Weekly | Catches newly introduced apps or scripts before users notice a breakage. |
| Audit exclusion lists (break-glass, service accounts) | Quarterly | Dormant accounts are attacker gold mines; remove what you no longer need. |
| Re-test MFA & session-revocation settings | Semi-annually | Cloud app behavior changes; ensure blocking one flow hasn’t opened another loophole. |
Tip: Tag policies with “🔥 Critical” in their names and add explanatory descriptions. Future admins will thank you at 2 a.m.
Bottom Line
Device code flow was built for a different era of devices and threat models. In 2025, the security return on leaving it enabled is rarely worth the risk. With Conditional Access and a careful roll-out plan using Report-only mode, you can shut that door (and its sibling, authentication transfer) confidently—while keeping an audit trail and graceful exceptions for the rare edge case.
Ready to harden your tenant? Open the Entra portal, create those two policies, and join the growing crowd of orgs that have turned device code flow from “convenient” to “blocked by design.” Your security team—and your users—will sleep better for it.