iCompaas Support

Description:

An exclusionary device code flow policy in Azure Active Directory (AAD) ensures that device code flow is used only under specific conditions and excludes unauthorized or untrusted devices from using this flow. Device code flow is typically used by applications running on devices that cannot open a web browser (e.g., consoles, smart TVs, or command-line interfaces). An exclusionary device code flow policy limits which devices or users are allowed to authenticate using device code flow, ensuring only trusted and authorized devices can perform the authentication process.

Rationale:

Device code flow is a secure method of authentication, particularly in scenarios where the client application cannot use a web browser to prompt for user credentials. However, allowing device code flow from untrusted or non-secure devices increases the risk of unauthorized access. By defining an exclusionary policy, organizations can restrict device code flow to trusted devices, ensuring that only legitimate, secured devices or users can authenticate using this flow.

Impact:

Implementing an exclusionary policy for device code flow will strengthen security by limiting the devices allowed to use this method for authentication. While this increases security, it may require additional configuration to ensure that all legitimate devices or applications are able to use device code flow without being blocked. It is important to carefully consider the specific devices or use cases that require exclusion from the policy to avoid disruptions in authentication.

Default Value:

By default, device code flow is available for all devices and users and does not have exclusionary policies configured. You must manually configure Conditional Access policies to define exclusions for the device code flow.

Pre-requisites:

• Azure Active Directory (AAD) subscription.
  

• Global Administrator or Conditional Access Administrator permissions.
  

• Conditional Access policies must be configured in Azure AD.
  

• MFA may be required for additional security based on the policy.
  

Audit:

1. Sign in to the Azure portal as a Global Administrator or Conditional Access Administrator.
   

2. Navigate to Azure Active Directory > Security > Conditional Access.
   

3. Review the Conditional Access Policies and ensure that any device code flow exclusions are configured appropriately.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Conditional Access Administrator permissions.
     

2. Navigate to Conditional Access Policies:
   

   • In the Azure portal, go to Azure Active Directory > Security > Conditional Access.
     

3. Create or Modify a Conditional Access Policy:
   

   • Click + New Policy to create a new Conditional Access policy or select an existing policy that targets user or device authentication.
     

   • Name the policy (e.g., "Exclusionary Device Code Flow Policy").
     

4. Define Policy Scope:
   

   • Under Assignments > Users and groups, select the users or groups that the policy will apply to (e.g., All Users, Privileged Users).
     

   • Under Cloud apps or actions, select All cloud apps or specify the application(s) where the device code flow is to be restricted.
     

5. Configure Device Code Flow Exclusions:
   

   • Under Conditions > Device platforms, choose Exclude to exclude certain platforms (e.g., devices, operating systems, or device types) from using device code flow.
     

   • Use the Location condition to include or exclude specific geographical regions or IP ranges where device code flow should be allowed or blocked.
     

   • Use Device state or Client app to configure which devices or apps are allowed to authenticate using device code flow.
     

6. Configure Access Controls:
   

   • Under Access controls, select Grant > Block access to exclude the specified devices or platforms from using device code flow.
     

   • Alternatively, you may choose to enforce MFA or compliance checks for certain devices or users trying to use device code flow.
     

7. Save and Enable the Policy:
   Review the policy configuration and click Enable policy to activate the exclusionary device code flow policy.

8. Test and Monitor:
   

   • After enabling the policy, test the authentication process by attempting to log in from different devices and platforms (including trusted and excluded devices) to verify that the exclusions work as intended.
     

   • Use Azure AD Sign-in Logs to monitor attempts from excluded devices to ensure the policy is functioning correctly.
     

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Global Administrator or Conditional Access Administrator privileges.
     

2. Navigate to Conditional Access Policies:
   

   • Go to Azure Active Directory > Security > Conditional Access.
     

3. Disable or Modify the Policy:
   

   • Locate the Conditional Access policy you created for device code flow exclusion.
     

   • Either disable the policy or remove the exclusions by modifying the conditions or removing the block access configuration.
     

   • To disable, toggle the Enable policy option to No.
     

4. Test Reverted Access:
   

   • After disabling or modifying the policy, test the sign-in process to ensure that previously excluded devices are now allowed to authenticate using device code flow.
     

5. Review Access Logs:
   

   • Review the sign-in logs to ensure no unintended access issues arise after the backout, and confirm that the policy is no longer being applied.
     

References:

• Azure AD Conditional Access - Location Condition
  

          Configure Conditional Access Policies for Device Code Flow