Protect the Device Code Authorisation Flow With Conditional Access

Conditional Access policies have been expanding in Microsoft Entra to enable you to control how your organization uses particular authentication and authorization protocols and grants.

This is done through the Authentication flows condition in Conditional Access. In this post, I will show you how to implement a condition to target the device code authentication flow with Conditional Access policies.

Note: this feature is currently in preview and may not yet work as expected

What is the device code flow?

The device code (or device authorisation) grant flow is a process that enables devices with limited input functionality (such as TVs, printers, or other IOT devices) to sign in to Microsoft Entra and obtain an access token.

The process happens in a series of steps:

1. The user will start the application on the device and initiate a sign in.

2. The device will then send an authorisation request to the /oauth2/v2.0/devicecode endpoint for the target tenant or common tenant.

3. A device code, user code and the verification URL is then sent back to the device.

4. The app will be present the user with the verification URL and user code and ask them to navigate to the URL and complete the sign in.

5. While the user is signing in, the app will continually poll the token endpoint for an access token; /oauth2/v2.0/token. Once the sign in process is complete, the authorisation server will respond with an access token.

6. The device can then interact with the relevant Microsoft services as the user.

Why target the device code flow?

Generally speaking, the device code flow is meant for the IOT devices I mentioned above; while potentially needing access to Microsoft Entra, they cannot be locked down and secured like devices fully enrolled in Endpoint Management solutions such as Microsoft Intune. With the increasing rise in IOT device attacks, it is as essential as ever to ensure that you put tighter restrictions in place when allowing these insecure devices to obtain access tokens to your environment and, hence, access your data.

Without these additional controls, such as restricting this flow to devices within your corporate network, users may not realise the impact of the seemingly innocent task of signing in to an IOT device with their corporate account.

Securing the Device Code flow

Enforcing strict controls on the device code flow can quickly be done with Conditional Access. Follow the below steps to configure the device code flow condition.

1. Log in to Microsoft Entra.

2. Expand Protection and select Conditional Access.

4. Click Policies > New policy.

5. I recommend you target all users with this assignment and exclude your break-glass users as usual.

6. Define All cloud apps for your target resources.

7. On the Conditions tab, select Authentication flows, then set the configure option to Yes and check Device code flow.

Enable device code flow
Enable device code flow

At this point, you should also consider if you plan to block device code flow based on location. This would offer the best protection; then, you can configure this policy to All trusted locations. You would configure a separate block policy for untrusted locations to do this.

All trusted locations for device code flow
All trusted locations for device code flow

8. On the Access controls section, consider configuring a grant policy to require authentication strength and Compliant device.

Testing with Microsoft Graph PowerShell

The simplest way for me to test our new Conditional Access policy is to use the device code login flow feature in Microsoft Graph PowerShell. If you haven’t installed Microsoft Graph PowerShell, check out my post here: How To Install the Microsoft Graph PowerShell Module.

Start by entering the following command to launch the login sequence:

Connect-MgGraph -UseDeviceCode

You will receive a response on your screen with the URL and user code, as depicted earlier in the device code flow steps.

Graph PowerShell UseDeviceCode
Graph PowerShell UseDeviceCode

Navigate to https://microsoft.com/devicelogin and when prompted, enter your user code.

Enter the device code
Enter the device code

If the user code is accepted, you will be prompted to log in with your corporate account. Follow the steps on the screen to log in. 

In the example that your device does not meet the grant controls defined in the Conditional Access policy, you will be prevented from obtaining an access token.

Device code login flow failure

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply