# Blocking Device Code Flow in Microsoft Entra ID

<table class="MsoNormalTable" id="bkmrk-field-details-docume" style="width: 60.119%; height: 178.781px;" title=""><tbody><tr style="height: 29.7969px;"><td style="width: 22.6115%; height: 29.7969px;">**Field**

</td><td style="width: 77.1905%; height: 29.7969px;">**Details**

</td></tr><tr style="height: 29.7969px;"><td style="width: 22.6115%; height: 29.7969px;">Document Type

</td><td style="width: 77.1905%; height: 29.7969px;">Blocking Device Code Flow in Microsoft Entra ID

</td></tr><tr style="height: 29.7969px;"><td style="width: 22.6115%; height: 29.7969px;">Applies To

</td><td style="width: 77.1905%; height: 29.7969px;">Microsoft Entra ID, Conditional Access policy

</td></tr><tr style="height: 29.7969px;"><td style="width: 22.6115%; height: 29.7969px;">Audience

</td><td style="width: 77.1905%; height: 29.7969px;">2nd Line / Entra ID Admins / IT Engineer

</td></tr><tr style="height: 29.7969px;"><td style="width: 22.6115%; height: 29.7969px;">Author

</td><td style="width: 77.1905%; height: 29.7969px;">AK. Udofeh

</td></tr><tr style="height: 29.7969px;"><td style="width: 22.6115%; height: 29.7969px;">Last Updated

</td><td style="width: 77.1905%; height: 29.7969px;">April 2026

</td></tr></tbody></table>

##### **Overview**

Device Code Flow allows users to authenticate on one device by entering a code on another. While useful for devices with limited input, it introduces significant phishing risk and can enable access from unmanaged devices.

This guide walks through configuring a Conditional Access policy to block Device Code Flow.

##### **Prerequisites**

- Microsoft Entra ID P1 (or higher)
- Conditional Access Administrator (or equivalent role)
- Emergency / break-glass accounts identified

##### **Step 1: Access Conditional Access Policies**

1. Sign in to the Microsoft Entra admin center
2. Navigate to:  
    **Entra ID &gt; Conditional Access &gt; Policies**
3. Select **+ New policy**

##### **Step 2: Define Policy Scope**

**Users**

- Include: **All users (recommended)**
- Exclude: 
    - Emergency access accounts
    - Break-glass accounts

<p class="callout warning">Always maintain at least one account excluded to prevent lockout</p>

##### **Step 3: Target Resources**

- Select **Target resources (Cloud apps)**
- Include: **All resources (recommended)**

##### **Step 4: Configure Authentication Flow Condition**

1. Navigate to:  
    **Conditions &gt; Authentication Flows**
2. Set **Configure = Yes**
3. Select: 
    - **Device Code Flow**
4. Click **Done**

##### **Step 5: Block Access**

1. Go to:  
    **Access Controls &gt; Grant**
2. Select: 
    - **Block access**
3. Click **Select**

##### **Step 6: Enable in Report-Only Mode (Recommended)**

- Set policy state to: **Report-only**
- Click **Create**

<p class="callout info">This allows you to assess impact before enforcing</p>

##### **Step 7: Validate Impact**

- Navigate to:  
    **Monitoring &gt; Sign-in logs**
- Filter by: 
    - Authentication Protocol = Device Code Flow

**Identify:**

- Users
- Applications
- Dependencies

##### **Step 8: Enforce Policy**

Once validated:

- Change policy state from **Report-only &gt; On**
- Monitor for failures and adjust exclusions if required

##### **Important Considerations**

- Device Code Flow is often used by: 
    - Azure CLI / PowerShell
    - Teams Rooms / shared devices
- Blocking may impact these scenarios

<p class="callout info">Microsoft recommends blocking unless explicitly required</p>

##### **Best Practices**

- Start in report-only mode
- Keep exclusions minimal and reviewed regularly
- Monitor sign-in logs continuously
- Prefer modern, secure authentication methods

##### **Summary**

Blocking Device Code Flow reduces exposure to phishing attacks that exploit cross-device authentication. This control strengthens identity security by eliminating a high-risk authentication path.