In a rapidly evolving cloud threat landscape, attackers continue to exploit overlooked authentication methods to bypass security controls. One such method, device code flow, has recently come under scrutiny following a major phishing campaign uncovered by Microsoft.

In February 2025, Microsoft announced the rollout of a managed Conditional Access policy aimed at blocking device code flow authentication, especially for organizations not actively using it. This blog will walk you through:

• What device code flow is and how it works
• The recent threat activity reported by Microsoft (STORM-2372)
• How to block this flow using Conditional Access policies
• The benefits of implementing this change

What is Device Code Flow

Device code flow is an authentication mechanism typically used on devices with limited input capabilities—like smart TVs, IoT appliances, or CLI-based tools.

• A user initiates login on the device, which displays a code.
• The user then opens a browser on a separate device and enters the code at https://microsoft.com/devicelogin.
• The session is authenticated, and the device is granted access.

While this flow is convenient and essential in some scenarios, it lacks key defences such as strong phishing-resistant authentication.

Threat Intelligence: STORM-2372

In February 2025, Microsoft Threat Intelligence reported a phishing campaign conducted by the threat actor STORM-2372. The attacks use a specific phishing technique called “device code phishing” that tricks users to log into productivity apps while Storm-2372 actors capture the information from the log in (tokens) that they can use to then access compromised accounts.

Here’s how the attack worked:

• Phishing campaigns were used to coerce targets to open the device login URL and enter the legitimate device code sent with the phishing email.
• Once submitted, the attacker hijacked the session to gain unauthorized access—bypassing multi-factor authentication (MFA) in some cases.

This campaign highlights how legacy or alternative authentication flows like device code can be a weak link, even in otherwise well-protected environments.

Why Block Device Code Flow

Blocking device code flow is a strategic move for improving your Microsoft 365 identity posture. Here’s why:

• Mitigates phishing risks associated with session hijacking
• Reduces attack surface by eliminating unused or legacy authentication methods
• Enforces modern authentication strategies with Conditional Access and MFA
• Aligns with Microsoft Secure Future Initiative, focusing on secure-by-default configurations

Unless you have a clear and current business need for device code flow, Microsoft recommends disabling it entirely. We suggest taking this one step further, and ensuring users are made aware of this phishing technique where device code flow is enabled.

How to Block Device Code Flow in Microsoft Entra (Azure AD)

You can block this flow using a Conditional Access policy. Here’s a step-by-step guide based on Microsoft’s documentation:

Sign in to the Microsoft Entra admin centre as (at least) a Conditional Access Administrator.

1. Browse to Protection > Conditional Access > Policies.
2. Select New policy.
3. Under Assignments, select Users or workload identities.
   • Under Include, select the users you want to be in-scope for the policy (All users recommended).
   • Under Exclude:
     • Select Users and groups and choose your organization’s emergency access or break-glass accounts and any other necessary users. This exclusion list should be audited regularly.

1. Under Target resources > Resources (formerly cloud apps) > Include, select the apps you want to be in-scope for the policy (All resources (formerly ‘All cloud apps’) recommended).
2. Under Conditions > Authentication Flows, set Configure to Yes.
   • Select Device code flow.
   • Select Done.
3. Under Access controls > Grant, select Block access.
   • Select Select.
4. Confirm your settings and set Enable policy to Report-only.
5. Select Create to create to enable your policy.

After administrators evaluate the policy settings using policy impact or report-only mode, they can move the Enable policy toggle from Report-only to On.

Microsoft-Managed Policy (February 2025 Rollout)

If your organization hasn’t used device code flow recently, Microsoft may have already applied a managed Conditional Access policy under its Secure Future Initiative. To check:

Go to: Conditional Access > Policies > Microsoft-managed

You can view and modify the policy, if necessary, but it’s strongly recommended to keep it enabled and in the default configuration unless your business has specific requirements to use device code flow.

If you would benefit from a security assessment of your Microsoft 365 cloud environment, Sentrium can help with our cloud penetration testing services. Our team have expert knowledge of Microsoft 365 implementations, including cloud-only and hybrid environments. We understand the complexities in configuring a cloud environment securely, and can help you navigate complex mechanisms like Conditional Access, Multi-Factor Authentication, Sign-in and User Risk policies, and security best practices. Get in touch to find out more about our cloud pentesting services.