DEV Community: Vávra Tomáš

Device Code Flow: The Overlooked Phishing Vector (And How to Block It)

Vávra Tomáš — Mon, 01 Jun 2026 15:49:22 +0000

Device Code Flow abuse is not a new technique. Security teams have known for some time that this OAuth feature can be leveraged in phishing attacks to obtain tokens without stealing credentials. What is new is how accessible and scalable this attack has become.

In April 2026, the FBI warned about a Phishing-as-a-Service (PhaaS) platform called Kali365, which operationalizes this exact technique. It allows even low-skilled attackers to run campaigns that trick users into entering device codes on legitimate Microsoft login pages — ultimately granting attackers OAuth tokens and acess to Microsoft 365 environments without triggering traditional authentication defenses.

How Device Code Flow Works

Device code flow is an authentication method designed for scenarios where a device has limited input options or lacks a convenient browser interface (such as smart TVs, IoT devices, or command-line tools). Instead of entering credentials directly on the device, the application generates a verification code and displays it.

The user then switches to a secondary device (such as a laptop or smartphone), navigates to https://microsoft.com/devicelogin, and enters the provided code. After successfully authenticating, the identity provider securely links the session and grants the original device access to the requested resource.

Why Device Code Flow Should Be Restricted

In practice, many organizations don’t have a real or current business need for device code flow, yet leave it enabled—unnecessarily expanding their attack surface. Disabling it helps reduce exposure by removing a legacy or rarely used authentication path and reinforces modern controls.

Microsoft recommends getting as close as possible to a full block. Start by auditing existing usage, validate whether any legitimate scenarios still require it, and strictly limit access only to well-defined, secured, and documented use cases (e.g., specific legacy tools). In all other cases, device code flow should be disabled by default—and users that legitimately need device code flow should be educated about how it can be misused in phishing campaigns.

How to Restrict Device Code Flow in MS Entra ID

You can mitigate this flow by implementing Conditional Access — here’s step by step guide based on Microsoft's documentation:

Sign in to the Microsoft Entra admin centre as (at least) a Conditional Access Administrator.
Sign in to the Microsoft Entra admin centre as (at least) a Conditional Access Administrator.
Browse to Entra ID > Conditional Access > Policies.
Select New policy.
Under Assignments, select Users or workload identities.
- Under Include, select users you want to be in-scope for the policy (All users recommended).
- Under Exclude, select your organization’s emergency access or break-glass accounts and any other necessary users. This exclusion list should be audited regularly.
Under Target resources > Resources (formerly cloud apps) > Include, select the apps you want to be in-scope for the policy (All resources (formerly 'All cloud apps') recommended).
Under Conditions > Authentication Flows, set Configure to Yes.
- Select Device code flow.
- Select Done.
Under Access controls > Grant, select Block access.
- Select Select.
Confirm your settings and set Enable policy to Report-only.
Select Create to enable your policy.

After evaluation of the policy settings using policy impact or report-only mode, move the Enable policy toggle from Report-only to On.

Microsoft-managed Conditional Access Policies

Device code flow may already be blocked in your tenant by default through Microsoft-managed Conditional Access policies. To check:

Go to: Entra ID > Conditional Access > Policies > Microsoft-managed

Microsoft automatically deploys these preconfigured policies based on global threat intelligence, often including controls like blocking device code flow or enforcing MFA to reduce risk. These policies are initially introduced in report-only mode and later enforced, meaning your environment might already be protected without manual configuration. It’s therefore important to review existing Conditional Access policies before implementing new ones, as device code flow could already be restricted as part of Microsoft’s secure-by-default approach.

My Experience Learning and Passing the AZ-900: What Helped, What Didn’t, and What I’d Do Differently

Vávra Tomáš — Thu, 15 May 2025 21:29:31 +0000

TL;DR: I passed the AZ-900 using Microsoft Learn, YouTube resources, and free practice tests. Here's what helped, what I'd skip, and what I wish I’d done earlier.

Hey everyone

I recently passed the AZ-900: Microsoft Azure Fundamentals certification, and I wanted to share a bit about my journey—what worked, what didn’t, and what I'd recommend if you're considering going down the same path.

Whether you're just getting into cloud, exploring Azure for the first time, or simply validating your understanding, I hope this gives you some helpful insight.

🎯 Why I Took the AZ-900

I wanted to solidify my understanding of cloud computing concepts and get familiar with Azure’s core services and offerings. This certification felt like the right starting point to gain clarity on how Azure platform works, especially in service-oriented context.

📚 My Study Strategy

I didn’t want to overcomplicate things, so I focused on four main resources:

1. Microsoft Learn (Free!)

This was my primary study material. Microsoft’s official learning paths are well-structured and beginner-friendly, while also updated based on the general exam curiculum.

I followed this course:

🔗 MS Azure Fundamentals

✅ What I liked:

Bite-sized modules
Self-paced learning
Quizzes after each section to reinforce learning

⚠️ Some parts can feel a bit high-level or repetitive, but they’re exam-relevant and cover a broad range of topics well.

2. John Savill’s YouTube Certification course (2025 update)

John Savill’s AZ-900 video series was super helpful.

He explains concepts clearly, uses diagrams, and gives real-world context to abstract ideas. This source was especially useful for deeper understanding of some Azure-specific services, so its not necessary to watch whole serie.

🔗 Watch it here

✅ Great for reviewing and reinforcing what I learned on Microsoft Learn.

⚠️ Some videos can feel a bit redundant after MS Learn, especialy those focusing on basic concepts.

3. Inside Cloud and Security YouTube AZ-900 Cram

This video was especially useful during the final days before the exam—perfect for a last-minute review.

🔗 Watch it here

Microsoft Learn AZ-900 Practice Asessment
Inside Cloud and Security AZ-900 Practice Quiz

✅ Great for last minute reviewing and refreshing.

⚠️ Use 1.5x speed if you use it just for revisiting materials to save some time.

4. Practice Tests

Testing myself was crucial. I used only free practice tests.

Microsoft Learn AZ-900 Practice Asessment
Inside Cloud and Security AZ-900 Practice Quiz

These helped me:

Identify areas I needed to revisit (MS Learn is unparalleled for this)
Practice time management under exam conditions
Inside Cloud and Security quiz is closer to real question style, since MS Learn is noticably easier than real exam

🧠 What Was Most Useful

Microsoft Learn + practice tests made a strong combo
Summarizing key concepts in my own words
Hands-on with the Azure Portal—even though not required, this made everything more tangible

🤔 What I’d Do Differently

Take practice tests earlier.

They reveal weak spots and help you study smarter, not harder.
Spend more time using the Azure portal.

Seeing how services are deployed and managed deepens understanding, even for a theory-based exam like AZ-900.

🧰 Useful Links & Resources

✅ Final Thoughts

AZ-900 is a great foundation-level certification if you're starting out with Azure or cloud in general.

It won’t dive deep into hands-on tasks, but it gives you the language, context, and confidence to explore further paths.

If you're studying or already passed—drop a comment! I’d love to hear how your experience went too 👇