Conditional Access policy blocks device code flow to prevent phishing attacks
entra_conditional_access_policy_device_code_flow_blocked
Conditional Access policies restrict the device code authentication flow, which is commonly abused in phishing campaigns to hijack user sessions. A policy targeting deviceCodeFlow in authentication flow conditions with a block grant control prevents this attack vector.
Risk
Device code flow is heavily exploited in phishing attacks such as Storm-2372, where attackers trick users into entering device codes on legitimate Microsoft login pages. Without a blocking policy, attackers can obtain tokens and gain persistent access to organizational resources.
prowler m365 --checks entra_conditional_access_policy_device_code_flow_blocked
Recommendation
Block device code flow via Conditional Access to mitigate phishing attacks that abuse this authentication method. Exclude only break-glass accounts and legitimate service accounts that require device code flow. Regularly review exceptions to minimize the attack surface.
Remediation
- Navigate to the Microsoft Entra admin center at https://entra.microsoft.com.
- Expand Protection > Conditional Access and select Policies.
- Click New policy.
- Under Users, include All users and exclude break-glass accounts.
- Under Target resources, include All cloud apps.
- Under Conditions > Authentication flows, select Device code flow.
- Under Grant, select Block access.
- Set the policy to On and click Create.
Source Code
Resource Type
NotDefined
References
Related To
- entra_legacy_authentication_blocked