NEW Security Setting!
Only available with Entra ID P1 (Business Premium) or Entra ID P2 (E5) licenses.
Before enabling this setting, ensure your users are appropriately licensed.
Summary
Device code flow lets you sign into devices that lack local input devices, like shared devices or digital signage. Device code flow is a high-risk authentication method that can be part of a phishing attack or used to access corporate resources on unmanaged devices.
Enabling this policy may affect legitimate scenarios that rely on device code authentication, including Azure CLI sign-ins, Android-based conference room devices, developer tools, scripts, automation workflows, and certain third-party applications. Before enabling the policy, validate any existing use cases that may depend on device code flow authentication. If device code flow is required for specific business scenarios, consider creating a custom policy with appropriate exclusions.
This setting uses Conditional Access Policies, therefore is not compatible with Security Defaults (MFA setting).
Setting available configurations
Enabled: Creates a conditional access policy in the tenant, targeting all users and all resources (formerly "All cloud apps"), to block sign-in attempts using Device Code Flow authentication. Policy name: "Block device code flow authentication (OP)"
Disabled: Removes the conditional access policy enabled by Office Protect, if any. Office Protect will not delete conditional policies it did not create.
Do not modify (ignore): We will not monitor nor attempt to modify the organization’s Block Device Code Flow Authentication policies. We recommend using this if you prefer using a customized policy, so Office Protect does not overwrite your customization.
This setting can be found in your Entra ID admin portal > Protection > Conditional Access > Policies
Microsoft documentation:
Learn more about device code flow policies
What is Conditional Access