# Configuring Entra ID CA Policies for Authentication Flows
**Field****Details**
Document Type Configuring Entra ID CA Policies for Authentication Flows
Applies To Microsoft Entra ID, Conditional Access policy
Audience 2nd Line / Entra ID Admins / IT Engineer
Author AK. Udofeh
Last Updated May 2026
##### **Overview** This guide outlines how to configure Conditional Access policies in Microsoft Entra ID to control: \* Device Code Flow \* Authentication Transfer These authentication methods can introduce elevated phishing and unmanaged device risks if not explicitly governed. ##### **Device Code Flow** Device Code Flow is similar to signing in to Netflix or Xbox on a Smart TV, where the TV displays a code and instructs the user to complete sign-in on another device such as a phone or laptop. Once authentication is completed, the Smart TV is automatically signed in. Example: Example: Go to [https://microsoft.com/devicelogin](https://microsoft.com/devicelogin) or [https://www.netflix.com/tv2](https://www.netflix.com/tv2) and enter this code. ##### **Authentication Transfer** Authentication Transfer is similar to being signed in on Device A and then scanning a QR code using Device B, allowing the authenticated session or trust to be transferred so that Device B becomes signed in without performing a full standalone authentication process again. This guide demonstrates how to govern these flows using Conditional Access policies to reduce exposure to indirect authentication attacks. ##### **Prerequisites** \* Microsoft Entra ID P1 or higher \* Conditional Access Administrator role \* Emergency / break-glass accounts identified \* Access to Microsoft Entra admin center **Step 1: Create New Conditional Access Policy** 1. Sign in to the Microsoft Entra admin center 2. Navigate to: **Entra ID > Protection > Conditional Access > Policies** 3. Select **+ New policy** 4. Enter a policy name: \* Example: CA - Block Authentication Flows **Step 2: Configure User Scope** Under **Assignments → Users**: \* Include: All users (recommended) \* Exclude: \* Emergency access accounts \* Break-glass administrator accounts

Avoid applying policies to all accounts without exclusions.

**Step 3: Configure Target Resources** Under **Assignments → Target resources**: \* Select: \*. **All cloud apps** This ensures consistent enforcement across Microsoft 365 resources. **Step 4: Configure Authentication Flows** 1. Navigate to: **Conditions > Authentication flows** 2. Set: \* **Configure = Yes** 1. Select required flows: \* Device Code Flow \* Authentication Transfer 2. Click **Done** **Step 5: Configure Access Control** Under **Access controls → Grant**: \* Select: \* Block access \* Click **Select** This blocks authentication attempts using the selected flows. **Step 6: Enable Report-Only Mode** Before enforcement: \* Set policy state to: \* **Report-only** \* Click **Create** This allows impact analysis without disrupting users. ##### **Validation** Review: \* **Entra ID > Monitoring > Sign-in logs** Validate: \* Impacted users \* Authentication flow usage \* Conditional Access evaluation results Monitor for: \* Developer tooling dependencies \* Shared device authentication \* QR-based onboarding scenarios ##### **Enforcement** Once validated: 1. Edit the Conditional Access policy 2. Change: \* **Report-only > On** 3. Continue monitoring sign-in activity and failures post-deployment. ##### **️ Flow Overview** User Authentication Attempt \* Authentication Flow Detection \* Conditional Access Evaluation \* Block / Allow Decision \* Resource Access Outcome Security Control Points: · Device Code Flow restriction · Authentication Transfer restriction · Sign-in logging and monitoring ##### **Summary** This configuration strengthens Microsoft Entra ID security posture by restricting high-risk authentication flows commonly associated with phishing and indirect access scenarios.