hunt-2025-042 FP Rate: medium v1.0 by Paul Newton

General Device Code Authentication Visibility

Platform

Entra ID Azure

Data Sources

SigninLogs

MITRE ATT&CK

Tactics

Credential Access Initial Access

Threat Actors

Unknown

Tags

#device-code #entra #identity #oauth #token-theft

Hunt Hypothesis

Device code authentication is a legitimate OAuth 2.0 flow designed for input-constrained devices such as IoT hardware and meeting room equipment. Because the flow only requires a user to enter a short code into any browser, threat actors abuse it to phish access tokens without needing to capture credentials. Surfacing all device code authentication events, enriched with device compliance and risk context, provides the baseline visibility needed to detect abuse.

All Device Code Authentication Events

Analytic #1

Surfaces every device code authentication from SigninLogs, enriched with country, OS, browser, device compliance, device management status, and Entra risk scores. Focus triage on unmanaged or non-compliant devices, high-risk sign-in scores, unusual applications (Azure CLI, Microsoft Graph), and unexpected geographies.

Detection Queries

KQL 
SigninLogs
| where AuthenticationProtocol == "deviceCode"
| extend
    Country        = tostring(LocationDetails.countryOrRegion),
    OS             = tostring(DeviceDetail.operatingSystem),
    Browser        = tostring(DeviceDetail.browser),
    IsCompliant    = tostring(DeviceDetail.isCompliant),
    IsManagedDevice = tostring(DeviceDetail.isManaged)
| project
    TimeGenerated,
    UserPrincipalName,
    AuthenticationProtocol,
    ResultSignature,
    IPAddress,
    Country,
    AppDisplayName,
    ResourceDisplayName,
    IsCompliant,
    IsManagedDevice,
    RiskLevelDuringSignIn,
    RiskLevelAggregated,
    UserAgent
| order by TimeGenerated desc

Triage Steps

  1. Review the AppDisplayName — high-privilege apps such as Azure CLI, Microsoft Graph, and Azure PowerShell are high-value targets and should receive priority triage
  2. Check IsManagedDevice and IsCompliant — device code auth from unmanaged or non-compliant devices is a significant red flag
  3. Review the Country and IPAddress — compare against the user's normal sign-in location and check the IP against threat intelligence
  4. Check RiskLevelDuringSignIn and RiskLevelAggregated — any medium or high risk score warrants immediate investigation
  5. Cross-reference with UrlClickEvents or EmailEvents to determine whether the authentication followed a phishing email
  6. If suspicious, revoke the user's refresh tokens immediately via Entra and investigate downstream Graph API activity

True Positive Example

Log Entry:
{
  "log_entry": {
    "TimeGenerated": "2026-01-15T09:24:58Z",
    "UserPrincipalName": "target.user@contoso.com",
    "AuthenticationProtocol": "deviceCode",
    "ResultSignature": "Success",
    "IPAddress": "185.220.101.47",
    "Country": "NL",
    "AppDisplayName": "Microsoft Azure CLI",
    "ResourceDisplayName": "Windows Azure Service Management API",
    "IsCompliant": "false",
    "IsManagedDevice": "false",
    "RiskLevelDuringSignIn": "high",
    "RiskLevelAggregated": "high",
    "UserAgent": "python-requests/2.28.0"
  }
}
Analysis:

Device code authentication to Azure CLI from a Tor exit node (NL) on a non-compliant, unmanaged device with a Python requests user-agent — strongly indicative of an attacker using a script to exploit a device code phishing session. The user's email showed a workers.dev phishing URL click 3 minutes prior.

Back to all hunts