Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The following steps help you create Conditional Access policies to restrict how device code flow and authentication transfer are used within your organization.
Device code flow policies
We recommend organizations get as close as possible to a unilateral block on device code flow. Consider creating a policy to audit the existing use of device code flow and determine if it's still necessary. Only allow device code flow in well documented and secured use cases, like legacy tooling that can't be updated.
For organizations that don't use device code flow, block it with the following Conditional Access policy:
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Entra ID > Conditional Access > Policies.
- Select New policy.
- Under Assignments, select Users or workload identities.
- Under Include, select the users you want to be in-scope for the policy (all users recommended).
- Under Exclude:
- Select Users and groups and choose your organization's emergency access or break-glass accounts and any other necessary users. Audit this exclusion list regularly.
- Under Target resources > Resources (formerly cloud apps) > Include, select the apps you want to be in-scope for the policy (All resources (formerly 'All cloud apps') recommended).
- Under Conditions > Authentication Flows, set Configure to Yes.
- Select Device code flow.
- Select Done.
- Under Access controls > Grant, select Block access.
- Select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to enable your policy.
After confirming your settings using policy impact or report-only mode, move the Enable policy toggle from Report-only to On.
Authentication transfer policies
Use the Authentication flows condition in Conditional Access to manage the feature. Block authentication transfer if you don't want users to transfer authentication from their PC to a mobile device. For example, block authentication transfer if you don't allow Outlook to be used on personal devices by certain groups. Use the following Conditional Access policy to block authentication transfer:
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Entra ID > Conditional Access > Policies.
- Select New policy.
- Under Assignments, select Users or workload identities.
- Under Include, select All users or user groups you want to block for authentication transfer.
- Under Exclude:
- Select Users and groups and choose your organization's emergency access or break-glass accounts and any other necessary users. Audit this exclusion list regularly.
- Under Target resources > Resources (formerly cloud apps) > Include, select All resources (formerly 'All cloud apps') or apps you want to block for authentication transfer.
- Under Conditions > Authentication Flows, set Configure to Yes
- Select Authentication transfer.
- Select Done.
- Under Access controls > Grant, select Block access.
- Select Select.
- Confirm your settings and set Enable policy to Enabled.
- Select Create to enable your policy.