Microsoft Entra: Stop Device Code Phish

Key insights

• Device code flow lets users sign in on headless devices like Teams meeting rooms and CI/CD pipelines.
  It completes sign-in by having the user approve a code on another device.
• Phishing actors lure users to approve device codes and then capture valid tokens on the attacker’s device.
  This method can lead to large-scale account compromise if not blocked.
• Microsoft reported a wide campaign in April 2026 that abused this flow and identified EvilTokens, a phishing-as-a-service toolkit that scales these attacks.
  Expect automated and repeatable abuse.
• Mitigation: deploy a Conditional Access (CA) policy that blocks the device code flow by default.
  Configure: include All users + All resources; target user action = Register or join devices; condition = Authentication Flows → Device code flow; access control = Block access.
• Exclude legitimate apps that require device code flow, such as approved meeting-room or CI/CD tools.
  Test exclusions before wide rollout to avoid service disruption.
• Act now—implement the CA policy, monitor sign-in logs, and alert on unusual device code requests.
  Regularly review exclusions and policy impact to keep protection effective.

Keywords

device code flow security, block device code phishing, prevent OAuth device code attacks, secure device authentication, Azure AD device code best practices, stop phishing with device code, device code flow mitigation, phishing prevention for device authentication