Ensure that an exclusionary Device code flow policy is considered
Why This Matters
Device code flow is a legitimate authentication method for scenarios like using Azure with PowerShell, but attackers frequently exploit it in phishing campaigns. When successful, these attacks grant the adversary access tokens with user_impersonation scope, allowing them to perform any action the compromised user can. Restricting device code flow to only those personnel who explicitly require it reduces your attack surface against token theft and session hijacking.
What Aether365 Checks
This check verifies whether a Conditional Access policy is in place to block device code authentication flow for non-essential users. In the Aether365 dashboard, this appears under the Entra ID checks section named ENTRA.1111.