Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 5.2.2.12 Ensure the device code sign-in flow is blocked

Description

The Microsoft identity platform supports the device authorization grant, which allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. To enable this flow, the device has the user visit a webpage in a browser on another device to sign in. Once the user signs in, the device is able to get access tokens and refresh tokens as needed.

The recommended state is to Block access for Device code flow in Conditional Access.

Remediation

To remediate using the UI:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Protection > Conditional Access select Policies.
  3. Create a new policy by selecting New policy.
    • Under Users include All users.
    • Under Target resources > Resources (formerly cloud apps) include All resources (formerly 'All cloud apps').
    • Under Conditions > Authentication flows set Configure is set to Yes, select Device code flow and click Save.
    • Under Grant select Block access and click Select
  4. Under Enable policy set it to Report-only until the organization is ready to enable it.
  5. Click Create.

Note: Break-glass accounts should be excluded from all Conditional Access policies.

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v500_5_2_2_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v500_5_2_2_12 --share

SQL

This control uses a named query:

with tenant_list as (
  select distinct on (tenant_id) tenant_id, _ctx
  from azuread_user
),
conditional_access_policy as (
  select
    tenant_id,
    count(*) as conditional_access_policy_count
  from
    azuread_conditional_access_policy
  where
    users -> 'includeUsers' ? 'All'
    and applications -> 'includeApplications' ? 'All'
    and built_in_controls @> '[0]'::jsonb
    and additional_data -> 'authenticationFlows' ->> 'transferMethods' = 'deviceCodeFlow'
    and state = 'enabled'
  group
    by tenant_id
)
select
  t.tenant_id as resource,
  case
    when conditional_access_policy_count > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when conditional_access_policy_count > 0 then t.tenant_id || ' has a conditional access policy that blocks the device code sign-in flow.'
    else t.tenant_id || ' does not have a conditional access policy that blocks the device code sign-in flow.'
  end as reason
  , t.tenant_id as tenant_id
from
  tenant_list as t
  left join conditional_access_policy as p on p.tenant_id = t.tenant_id;

Tags

category = Compliance
cis = true
cis_item_id = 5.2.2.12
cis_level = 1
cis_section_id = 5.2.2
cis_type = automated
cis_version = v5.0.0
microsoft_365_license = E3,E5
plugin = microsoft365
service = Azure/ActiveDirectory