Detections
Analytics

2.2.3 Ensure that an exclusionary Device code flow policy is considered

Information

Conditional Access Policies can be used to prevent the Device code authentication flow. Device code flow should be permitted only for users that regularly perform duties that explicitly require the use of Device Code to authenticate, such as utilizing Azure with PowerShell.

Rationale:

Attackers use Device code flow in phishing attacks and, if successful, results in the attacker gaining access tokens and refresh tokens which are scoped to 'user_impersonation', which can perform any action the user has permission to perform.

Impact:

Microsoft Entra ID P1 or P2 is required.

This policy should be tested using the Report-only mode before implementation. Without a full and careful understanding of the accounts and personnel who require Device code authentication flow, implementing this policy can block authentication for users and devices who rely on Device code flow. For users and devices that rely on device code flow authentication, more secure alternatives should be implemented wherever possible.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Remediate from Azure Portal
Part 1 of 2 - Create the policy and enable it in Report-only mode.

From Azure Home open the portal menu in the top left and select Microsoft Entra ID.

Scroll down in the menu on the left and select Security.

Select on the left side Conditional Access.

Select Policies.

Click the + New policy button, then:

Provide a name for the policy.

Under Assignments, select Users then:

Under Include, select All users

Under Exclude, check Users and groups and only select emergency access accounts

Under Assignments, select Target resources then:

Under Include, select All cloud apps

Leave Exclude blank unless you have a well defined exception

Under Conditions > Authentication Flows, set Configure to Yes then:

Select Device code flow

Select Done

Under Access Controls > Grant, select Block Access.

Set Enable policy to Report-only.

Click Create.

Allow some time to pass to ensure the sign-in logs capture relevant conditional access events. These events will need to be reviewed to determine if additional considerations are necessary for your organization (e.g. many legitimate use cases of device code authentication are observed).

NOTE: The policy is not yet 'live,' since Report-only is being used to audit the effect of the policy.

Part 2 of 2 - Confirm that the policy is not blocking access that should be granted, then toggle to On.

With your policy now in report-only mode, return to the Microsoft Entra blade and click on Sign-in logs.

Review the recent sign-in events - click an event then review the event details (specifically the Report-only tab) to ensure:

The sign-in event you're reviewing occurred after turning on the policy in report-only mode

The policy name from step 6 above is listed in the Policy Name column

The Result column for the new policy shows that the policy was Not applied (indicating the device code authentication flow was not blocked)

If the above conditions are present, navigate back to the policy name in Conditional Access and open it.

Toggle the policy from Report-only to On.

Click Save.

Default Value:

This policy does not exist by default.

See Also

https://workbench.cisecurity.org/benchmarks/16820

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-1, 800-53|AC-2, 800-53|IA-4, 800-53|IA-5, CSCv7|12.4

Plugin: microsoft_azure

Control ID: a1b6305261c7b5d2c2b3aea29a06324c53ea913c55aab9ba4d81d584a23477fd