Configuring Entra ID CA Policies for Authentication Flows Field Details Document Type Configuring Entra ID CA Policies for Authentication Flows Applies To Microsoft Entra ID, Conditional Access policy Audience 2nd Line / Entra ID Admins / IT Engineer Author AK. Udofeh Last Updated May 2026 Overview This guide outlines how to configure Conditional Access policies in Microsoft Entra ID to control:  * Device Code Flow  * Authentication Transfer These authentication methods can introduce elevated phishing and unmanaged device risks if not explicitly governed. Device Code Flow Device Code Flow is similar to signing in to Netflix or Xbox on a Smart TV, where the TV displays a code and instructs the user to complete sign-in on another device such as a phone or laptop. Once authentication is completed, the Smart TV is automatically signed in. Example: Example: Go to  https://microsoft.com/devicelogin  or  https://www.netflix.com/tv2 and enter this code. Authentication Transfer Authentication Transfer is similar to being signed in on Device A and then scanning a QR code using Device B, allowing the authenticated session or trust to be transferred so that Device B becomes signed in without performing a full standalone authentication process again. This guide demonstrates how to govern these flows using Conditional Access policies to reduce exposure to indirect authentication attacks.  Prerequisites      *  Microsoft Entra ID P1 or higher    * Conditional Access Administrator role    * Emergency / break-glass accounts identified    * Access to Microsoft Entra admin center Step 1:  Create New Conditional Access Policy 1.  Sign in to the Microsoft Entra admin center 2.  Navigate to: Entra ID > Protection > Conditional Access > Policies 3.  Select + New policy 4.  Enter a policy name:         *    Example: CA - Block Authentication Flows Step 2: Configure User Scope Under Assignments → Users :        *  Include: All users (recommended)         * Exclude:  *   Emergency access accounts  *   Break-glass administrator accounts Avoid applying policies to all accounts without exclusions. Step 3: Configure Target Resources Under Assignments → Target resources : *   Select:      *. All cloud apps This ensures consistent enforcement across Microsoft 365 resources. Step 4: Configure Authentication Flows 1.  Navigate to: Conditions > Authentication flows 2.  Set:      *   Configure = Yes 1.  Select required flows:     * Device Code Flow      * Authentication Transfer 2.  Click Done Step 5:  Configure Access Control Under Access controls → Grant :   * Select:   *  Block access   * Click Select This blocks authentication attempts using the selected flows. Step 6: Enable Report-Only Mode Before enforcement:  *   Set policy state to:  * Report-only   * Click Create This allows impact analysis without disrupting users. Validation Review: *   Entra ID > Monitoring > Sign-in logs Validate: * Impacted users *   Authentication flow usage * Conditional Access evaluation results Monitor for: * Developer tooling dependencies * Shared device authentication * QR-based onboarding scenarios Enforcement Once validated: 1.  Edit the Conditional Access policy 2.  Change: *  Report-only > On 3.  Continue monitoring sign-in activity and failures post-deployment. ️  Flow Overview User Authentication Attempt * Authentication Flow Detection * Conditional Access Evaluation * Block / Allow Decision * Resource Access Outcome Security Control Points: ·   Device Code Flow restriction ·   Authentication Transfer restriction ·   Sign-in logging and monitoring Summary This configuration strengthens Microsoft Entra ID security posture by restricting high-risk authentication flows commonly associated with phishing and indirect access scenarios.