MT.1052 - At least one Conditional Access policy is targeting the Device Code authentication flow.
Overviewβ
Checks if at least one policy is targeting the Device Code condition.
Organizations should block or limit device code flow because it can be exploited in phishing attacks, such as those conducted by the Storm-2372 group. Attackers leverage this authentication method to trick users into entering device codes on malicious websites, granting unauthorized access to accounts. Blocking or limiting this flow helps prevent exploitation by minimizing attack vectors, improving overall security posture, and safeguarding against compromised credentials through phishing techniques.
How to fixβ
Configure a Conditional Access policy to block the Device Code authentication flow and limit access to only trusted users and devices or to specific named locations.
Learn moreβ
- Block authentication flows with Conditional Access policy
- Microsoft Threat Intelligence | Storm-2372 conducts device code phishing campaign
- Jeffrey Appel | How to protect against Device Code Flow abuse (Storm-2372 attacks) and block the authentication flow
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1052 |
| Severity | High |
| Suite | Maester |
| Category | CA |
| PowerShell test | Test-MtCaDeviceCodeFlow |
| Tags | CA, Maester, MT.1052 |
Sourceβ
- Pester test:
tests/Maester/Entra/Test-ConditionalAccessBaseline.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtCaDeviceCodeFlow.ps1