General

This check verifies whether Conditional Access policies are in place to protect against Device Code Flow authentication.

Rationale

Device Code Flow authentication exists to allow devices where username and password authentication doesn't work — such as Smart TVs and IoT devices — a way to sign in to Microsoft 365. However, there are known cases where cybercriminals abuse this feature to gain and/or maintain access to an account.

By default, Attic creates a conditional access policy in report-only mode. This provides visibility into the use of Device Code Flow authentication, allows legitimate use to be identified and excluded, before placing the policy in blocking mode.

Attic Fix

A fix is available for this check! It will be offered through a ticket in Attic, after which you can accept it.

Manual instructions

Follow these steps to adjust the setting:

1. Open the Entra admin center via https://entra.microsoft.com
2. Go to Protection > Conditional Access > Policies
3. Click New Policy
4. Under Assignments, select Users or workload identities
   1. Under Include, select All users
5. Under Target resources > Resources (formerly cloud apps) > Include: select All resources
6. Under Conditions > Authentication flows set Configure to Yes
   1. Select Device code flow
   2. Click Done
7. Under Access controls > Grant, select Block access. Click Select
8. Confirm the settings and set Enable Policy to Report-Only
9. Click Create to enable the policy

More information

1. https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-authentication-flows#device-code-flow-policies