As observed by Microsoft, device code flow attacks have been used at scale, with attackers leveraging messaging platforms and convincing social engineering to obtain valid access tokens. Once established, those tokens enable threat actors’ access to email, files and collaboration services without triggering traditional phishing alerts.
Device code flow was designed to address a practical limitation. Some systems cannot present a browser, accept credentials, or support interactive sign-in. In these cases, authentication is split across devices: a short code is displayed, and the user completes sign-in elsewhere. Once approved, the requesting device receives access tokens and continues operating without further interaction.
This approach is widely used, standards-based, and enabled by default across many Microsoft Entra tenants. Unfortunately, it has also become a reliable entry point for attackers who understand how to manipulate user trust within legitimate identity workflows.
When Legitimate Authentication Becomes an Attack Path
Device code flow separates the requesting client from the authenticating user. That separation is intentional, but it also removes context from the decision the user is making.
In an attack scenario, an adversary initiates a valid device code request and persuades a user to complete it. The user is directed to Microsoft’s genuine device login page. Once there, the code they’re given is valid, and multi-factor authentication proceeds as expected. From the user’s perspective, the process feels routine. However, from the attacker’s perspective, the outcome is a fully authenticated session backed by legitimate tokens. No credentials are stolen. No spoofed infrastructure is required. Access is granted through normal identity operations, with the attacker positioned on the receiving end of the flow.
Why This Goes Unnoticed
Many organisations focus their identity controls on interactive browser sign-ins. Conditional Access policies are commonly scoped around known client types, trusted applications, or standard user workflows. Device code flow often sits outside these assumptions.
When non-interactive authentication paths are excluded, intentionally or otherwise, device code flow can operate with fewer checks. Entra records a successful sign-in, MFA is satisfied, and the session appears legitimate in isolation. Without additional context, security teams are left with little to distinguish a routine automation task from an attacker-driven login.
Closing The Gap with Conditional Access
The most effective response to this attack pattern is to address it at the policy layer. Microsoft Entra ID allows administrators to control authentication flows explicitly, including the ability to block device code flow entirely.
Where device code flow is not required, disabling it removes the attack vector outright. Even if a user enters a valid code, token issuance is prevented and the session never materialises.
Where the flow is necessary, restrictions should be deliberate and narrow. Conditional Access policies must include non-browser and “other” client types, enforce device compliance, and require strong authentication methods. This ensures that device code authentication is subject to the same scrutiny as any other sign-in.
Managing Risk Where Device Code Flow is Required
Some environments rely on device code flow for legitimate operational reasons. In those cases, security depends on visibility and constraint.
Access should be limited to clearly defined user groups and applications. Devices should be managed and compliant. Authentication strength should align with the sensitivity of the resources being accessed. Sign-in logs should be reviewed for unexpected usage patterns, particularly where device code flow appears outside known operational contexts.
When these controls are in place, device code flow becomes predictable and auditable rather than open-ended.
Strengthen Entra ID with Threatscape's Expert Guidance
Device code flow attacks highlight how small configuration decisions can have outsized impact. Understanding where those risks exist, and how to address them without disrupting legitimate use, requires both platform knowledge and threat awareness.
Threatscape’s Microsoft Entra ID Advisory Service provides a complimentary, no-obligation session with a Microsoft security expert, which delivers:
- An assessment of your current Entra ID posture
- Insight into real-world identity attack techniques
- Practical recommendations aligned to your environment
- Guidance on making effective use of existing Entra and Microsoft 365 capabilities
If device code flow, Conditional Access, or identity risk management are areas of concern, the Entra ID Advisory Service offers a focused starting point grounded in real operational experience.
![[M365 AI] Copilot & AI Agents: Tips You Must Know](https://www.threatscape.com/wp-content/uploads/2025/07/COPILOT-PODCAST-3-300x169.jpg)
