In today’s digital landscape, Microsoft Entra ID offers a comprehensive range of authentication and authorization flows to ensure seamless access across various applications and devices. However, not all flows carry the same level of risk, and some may introduce potential vulnerabilities if not managed properly. To address this, Microsoft has introduced enhanced security controls through Conditional Access policies, allowing organizations to take a more granular approach to securing their environments. These policies enable the management of specific authentication flows, such as legacy authentication protocols and risky sign-in locations, helping organizations mitigate threats more effectively. In this blog, we’ll explore two key flows—Device Code Flow and Authentication Transfer—and discuss how they contribute to the overall security, user experience in Microsoft Entra ID and how to secure these using Condtional Access.
Let's delve into Device Code Flow
The device code flow is mainly utilized for logging into devices that lack local input capabilities, such as digital signage, shared devices, or Cisco Webex codecs. Although this method simplifies the onboarding of these devices, it also introduces risks like phishing attacks or accessing corporate resources on unmanaged devices, which could compromise organizational data. We can mitigate these risks by implementing conditional access, specifically excluding the accounts and devices that use this authentication method, along with a network location, as we will discuss in this blog. This flow is part of the OAuth 2.0 framework and incorporates OpenID Connect to provide authentication. It enables a user to authenticate from another device (such as a smartphone or computer) instead of directly on the device with limited input.
To demonstrate how device code flow works, I initiated this with a PowerShell script. Using a tool called Token Tactics v.2, which you can download from the GitHub link https://github.com/f-bader/TokenTacticsV2,
Step 1: Import the module and start by typing "Get-AzureToken -Client MSGraph". This will generate a user code for authentication.
Step 2: Visit the URL https://microsoft.com/devicelogin and input the code you received from the previous step. Choose the account if it's already authenticated, or authenticate with an account, which will enable the device to sign in and access the resources. Keeping this
Once the authentication is completed, you can see the Bearer token and the scope of the access along with access token details.
You can check the sign-in activity from sign-in logs in Entra, confirming the authentication used as device code was successful.
Device code flow is associated with several potential security risks or breaches, including phishing attacks, where malicious actors deceive users into entering the device code on a fraudulent website, enabling unauthorized access to sensitive data; the potential for a "man-in-the-middle" attack, where an attacker intercepts the code shown on the device and uses it to gain access; and the risk of exposing sensitive information on a public device, particularly when used on shared or unmanaged devices; which can result in data breaches if not properly secured
Important aspects of vulnerabilities in device code flow:
Phishing vulnerability: Because the device code appears on the device, attackers can effortlessly set up phishing websites that imitate the authentic login process, deceiving users into inputting the code on a fraudulent page.
Man-in-the-Middle Attacks (MitM): An attacker might intercept the communication between a user's device and the authentication server, seizing the device code to obtain unauthorized access.
Unsecured Device Environment: If the device displaying the code lacks proper security, attackers may find it easier to access the code, particularly on public or shared devices.
Strategies for Mitigation:
Thorough User Training: Inform users about the dangers of phishing and stress the necessity of entering device codes solely on reputable websites.
Multi-factor Authentication (MFA): Using MFA in conjunction with the device code flow enhances security by adding an additional layer of protection, which can be enforced through conditional access
Device Management: Establish device management policies to ensure the security of devices used in the device code flow by ensuring the device is compliant and verifying access through conditional access policies.
Enhancing Security with Conditional Access Policies
We can achieve this by establishing a conditional access policy that verifies the device compliance status and requires users to satisfy multifactor authentication.
Log in to the Microsoft Entra admin center with at least the role of a Conditional Access Administrator.
Navigate to Protection > Conditional Access > Policies and selelct New Policy
In the Assignments section, choose Users or workload identities.
Within Include, select the users you wish to include in the policy scope (all users is recommended).
In Target resources > Resources (formerly cloud apps) > Include, choose the apps you wish to include in the policy's scope (All resources (formerly 'All cloud apps') is recommended).
In Conditions > Authentication Flows, change Configure to Yes.
Choose Device code flow and Click Done.
Navigate to Access controls > Grant, and choose Grant Access.
Selelct "Require multifactor authentication" and "Require Device to be marked as complaint"
Select Require all the selected controls and tap on Select
Verify your settings and adjust Enable policy to Report-only or ON
Click Create to activate the policy.
Once conditional access is configured and the policy is enabled, the account will be blocked during the Device Code Flow if both conditions are not satisfied.
If device code flow is not needed and you cannot guarantee a compliant device for a particular action, establish a new Conditional Access policy to block all users and permit specific ones. This step will protect against attacks.
Log in to the Microsoft Entra admin center with at least the role of a Conditional Access Administrator.
Navigate to Protection > Conditional Access > Policies and selelct New Policy
In the Assignments section, choose Users or workload identities.
Within Include, select the users you wish to include in the policy scope (all users is recommended).
Under Exclude: Choose Users and groups, then select your organization's emergency access or break-glass accounts along with any other essential users; this exclusion list should be reviewed regularly.
In Target resources > Resources (formerly cloud apps) > Include, choose the apps you wish to include in the policy's scope (All resources (formerly 'All cloud apps') is recommended).
In Conditions > Authentication Flows, change Configure to Yes.
Choose Device code flow and Click Done.
Navigate to Access controls > Grant, and choose Block Access.
Verify your settings and adjust Enable policy to Report-only or ON
Click Create to activate the policy.
After setting up conditional access and activating the policy, the account will be blocked during the Device Code Flow.
Let's delve into Authentication Transfer
Authentication Transfer is a process that simplifies cross-device sign-ins for Microsoft applications, making it more convenient to transition from desktop to mobile. This flow enables users to authenticate on one device and then transfer that authentication to another, such as from computer to smartphone. By bridging users across various platforms, Authentication Transfer enhances user engagement. Users can simply scan a QR code in an authenticated app on their PC to gain access to the mobile app.During the Authentication Transfer, all Microsoft Entra Conditional Access policies are assessed. Nevertheless, the Authentication Transfer only transfers authentication credentials and does not include device-specific information.
Note When using authentication transfer, if users complete multifactor authentication on their computer, they do not need to perform MFA on their mobile device.
With authentication transfer, Conditional Access policies are evaluated before the authentication is transferred. If a policy is not satisfied for the mobile device, the user is required to sign in manually.
Authentication Transfer circumvents third-party mobile device management solutions when transferring authentication to mobile devices.
With authentication transfer, users must re-enter their credentials on their PC even if they had previously signed in using protected session tokens, such as the Primary Refresh Token. However, they do not need to reauthenticate on mobile apps.
Authentication transfer is enabled by default for all users. Administrators can control authentication transfer using Conditional Access policies and the condition of authentication flows. This configuration can limit authentication transfer to specific users or apps, or disable the functionality altogether.
What are the risks associated with using the Authentication Transfer feature?
When using Microsoft's Authentication Transfer feature, the primary security concern is that it could expose users to an elevated risk of unauthorized access if a malicious party gains control of the receiving device. This is because the transfer process essentially grants immediate access to the user's account on that new device without necessitating additional authentication steps beyond the initial transfer request on the original device.
Primary risks linked to Authentication Transfer:
Compromised Device: If a user's receiving device is already infected with malware or accessed by an unauthorized individual, the attacker could easily obtain access to the user's account once the transfer is complete.
Phishing Scams: Malicious individuals may leverage social engineering techniques to deceive users into transferring authentication to a compromised device, enabling them to access sensitive information.
Insufficient user education: If individuals lack proper awareness of the implications associated with Authentication Transfer, they may unintentionally grant access to their accounts on unintended devices, thereby increasing the risk of unauthorized access.
You can minimize these risks by
Robust security measures for Authentication Transfer devices: Ensure all devices used for Authentication Transfer have comprehensive security measures, including strong passwords, regularly updated security patches, and effective device management tools.
Educate users: Clearly explain the risks of Authentication Transfer to users and stress the significance of only transferring access to reliable devices.
Conditional Access policies: Implement Conditional Access policies to add additional verification steps when using Authentication Transfer, such as requiring additional MFA or location verification.Â
Block Authentication Transfer using Conditional Access
Log in to the Microsoft Entra admin center with at least the role of a Conditional Access Administrator.
Navigate to Protection > Conditional Access > Policies and selelct New Policy
In the Assignments section, choose Users or workload identities.
Within Include, select the users you wish to include in the policy scope (all users is recommended).
In Target resources > Resources (formerly cloud apps) > Include, choose the apps you wish to include in the policy's scope (All resources (formerly 'All cloud apps') is recommended).
In Conditions > Authentication Flows, change Configure to Yes.
Choose Authentication Transfer and Click Done.
Navigate to Access controls > Grant, and choose Block Access.
Verify your settings and adjust Enable policy to Report-only or ON
Click Create to activate the policy.
Sign-in Logs Authentication Transfer
Administrators have the ability to review the sign-in logs to determine if users are utilizing authentication transfer for sign-in. This usage is displayed under Authentication Details in the Microsoft Entra Sign-in logs. Administrators will observe consecutive events, starting with a QR code as the method of authentication.
Conclusion
In summary, managing authentication flows with Conditional Access policies in Microsoft Entra ID is essential for boosting security and providing a smooth user experience. By understanding and addressing the risks linked to Device Code Flow and Authentication Transfer, organizations can better safeguard their resources and data. Implementing Conditional Access policies enables more detailed control over authentication methods, ensuring that only compliant and secure devices gain access. Furthermore, educating users about potential vulnerabilities and enforcing multi-factor authentication further enhances security. By adhering to the outlined strategies and best practices, organizations can effectively manage authentication flows and protect their digital environments.