How to Restrict Device Code Flow in Entra ID

By /

Featured Image
Device Code Flow in Entra ID (formerly Azure AD) is an OAuth 2.0 authentication method that allows users to sign in on input-constrained devices. However, attackers can abuse this flow in phishing or brute-force attacks. Restricting it enhances security.

Read the full guide here: janbakker.tech

You Should Know:

  1. Disable Device Code Flow in Entra ID (Azure AD)

To restrict Device Code Flow, use PowerShell:

 Connect to Azure AD 
Connect-AzureAD

Disable Device Code Flow for all applications 
Set-AzureADMSAuthorizationPolicy -Id "authorizationPolicy" -DefaultDeviceEnrollmentRestrictions "AllDevices" -AllowedToDeviceJoin $false

2. Enable Conditional Access Policies

Create a Conditional Access policy to block Device Code Flow:

  1. Go to Azure Portal → Azure AD → Security → Conditional Access.

2. Create a new policy:

  • Users and groups: Select target users.
  • Cloud apps: Choose All cloud apps.
  • Conditions → Client apps: Enable Mobile apps and desktop clients.
  • Grant: Select Block access.

3. Monitor Suspicious Device Code Requests

Use Microsoft Defender for Identity to detect anomalies:

 Check sign-in logs for Device Code Flow usage 
Get-AzureADAuditSignInLogs -Filter "tokenIssuerType eq 'AzureAD'" | Where-Object { $_.DeviceDetail -like "DeviceCode" }

4. Restrict Device Registration

Prevent unauthorized devices from joining:

 Disable device registration for non-admin users 
Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $false

5. Use Microsoft Graph API for Automation

Automate Device Code Flow restrictions via Graph API:

 List all Conditional Access policies 
curl -X GET "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies" -H "Authorization: Bearer <ACCESS_TOKEN>"

What Undercode Say:

Restricting Device Code Flow is crucial to prevent OAuth-based attacks. Combine Conditional Access, PowerShell automation, and monitoring to secure Entra ID.

Additional Security Commands:

  • Check Azure AD risky sign-ins:
    Get-AzureADRiskyUser -All $true
  • Block legacy authentication:
    Set-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"08:00:00"}}')
  • Audit device registrations:
    azure ad audit logs --query "ActivityDateTime desc" --filter "Category eq 'DeviceManagement'"

Expected Output:

A secure Entra ID environment with restricted Device Code Flow, enforced Conditional Access, and continuous monitoring.

Prediction:

As attackers increasingly exploit OAuth flows, Microsoft will likely enforce stricter Device Code Flow restrictions by default in future Entra ID updates.

References:

Reported By: Jan Bakker – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: