Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The following steps help create Conditional Access policies to restrict how device code flow and authentication transfer are used within your organization.
Device code flow policies
Note
To bolster security posture, Microsoft recommends blocking or restricting device code flow wherever possible.
You should always start by configuring a policy in report-only mode to determine the potential effect on your organization.
We recommend organizations get as close as possible to a unilateral block on device code flow. Organizations should consider creating a policy to audit the existing use of device code flow and determine if it is still necessary.
For organizations that have no established use of device code flow, blocking can be done with the following Conditional Access policy:
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Entra ID > Conditional Access > Policies.
- Select New policy.
- Under Assignments, select Users or workload identities.
- Under Include, select the users you want to be in-scope for the policy (all users recommended).
- Under Exclude:
- Select Users and groups and choose your organization's emergency access or break-glass accounts and any other necessary users this exclusion list should be audited regularly.
 
 
- Under Target resources > Resources (formerly cloud apps) > Include, select the apps you want to be in-scope for the policy (All resources (formerly 'All cloud apps') recommended).
- Under Conditions > Authentication Flows, set Configure to Yes.
- Select Device code flow.
- Select Done.
 
- Under Access controls > Grant, select Block access.
- Select Select.
 
- Confirm your settings and set Enable policy to Report-only.
- Select Create to create to enable your policy.
After confirming your settings using policy impact or report-only mode, move the Enable policy toggle from Report-only to On.
Authentication transfer policies
Use the Authentication flows condition in Conditional Access to manage the feature. You might want to block authentication transfer if you don’t want users to transfer authentication from their PC to a mobile device. For example, if you don’t allow Outlook to be used on personal devices by certain groups. Blocking authentication transfer can be done with the following Conditional Access policy:
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Entra ID > Conditional Access > Policies.
- Select New policy.
- Under Assignments, select Users or workload identities.
- Under Include, select All users or user groups you would like to block for authentication transfer.
- Under Exclude:
- Select Users and groups and choose your organization's emergency access or break-glass accounts and any other necessary users this exclusion list should be audited regularly.
 
 
- Under Target resources > Resources (formerly cloud apps) > Include, select All resources (formerly 'All cloud apps') or apps you would like to block for authentication transfer.
- Under Conditions > Authentication Flows, set Configure to Yes
- Select Authentication transfer.
- Select Done.
 
- Under Access controls > Grant, select Block access.
- Select Select.
 
- Confirm your settings and set Enable policy to Enabled.
- Select Create to create to enable your policy.