Block authentication flows with Conditional Access policy

The following steps help create Conditional Access policies to restrict how device code flow and authentication transfer are used within your organization.

Device code flow policies

Note

To bolster security posture, Microsoft recommends blocking or restricting device code flow wherever possible.

You should always start by configuring a policy in report-only mode to determine the potential effect on your organization.

We recommend organizations get as close as possible to a unilateral block on device code flow. Organizations should consider creating a policy to audit the existing use of device code flow and determine if it is still necessary.

For organizations that have no established use of device code flow, blocking can be done with the following Conditional Access policy:

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access > Policies.
  3. Select New policy.
  4. Under Assignments, select Users or workload identities.
    1. Under Include, select the users you want to be in-scope for the policy (all users recommended).
    2. Under Exclude:
      1. Select Users and groups and choose your organization's emergency access or break-glass accounts and any other necessary users this exclusion list should be audited regularly.
  5. Under Target resources > Resources (formerly cloud apps) > Include, select the apps you want to be in-scope for the policy (All resources (formerly 'All cloud apps') recommended).
  6. Under Conditions > Authentication Flows, set Configure to Yes.
    1. Select Device code flow.
    2. Select Done.
  7. Under Access controls > Grant, select Block access.
    1. Select Select.
  8. Confirm your settings and set Enable policy to Report-only.
  9. Select Create to create to enable your policy.

After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.

Authentication transfer policies

The ability to control authentication transfer is in preview, use the Authentication flows condition in Conditional Access to manage the feature. You might want to block authentication transfer if you don’t want users to transfer authentication from their PC to a mobile device. For example, if you don’t allow Outlook to be used on personal devices by certain groups. Blocking authentication transfer can be done with the following Conditional Access policy:

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access.
  3. Select Create new policy.
  4. Under Assignments, select Users or workload identities.
    1. Under Include, select All users or user groups you would like to block for authentication transfer.
    2. Under Exclude:
      1. Select Users and groups and choose your organization's emergency access or break-glass accounts and any other necessary users this exclusion list should be audited regularly.
  5. Under Target resources > Resources (formerly cloud apps) > Include, select All resources (formerly 'All cloud apps') or apps you would like to block for authentication transfer.
  6. Under Conditions > Authentication Flows, set Configure to Yes
    1. Select Authentication transfer.
    2. Select Done.
  7. Under Access controls > Grant, select Block access.
    1. Select Select.
  8. Confirm your settings and set Enable policy to Enabled.
  9. Select Create to create to enable your policy.