Policy changes for Microsoft Teams devices using device code flow authentication

First announced in February, Microsoft is rolling out a new Microsoft-managed policy to help further secure your tenants against potential threats to accounts using device code flow (DCF) authentication.

Rollout began in February and will continue until May. The policies will initially be created in report-only mode, allowing admins to review their impact before they’re enforced. You’ll have at least 45 days to evaluate and configure the policies before they’re automatically moved to the “On” state. We recommend taking action as soon as possible to create exclusion lists if you are using Android devices in shared spaces.

To ensure that admins are able to use the remote sign-in and management capabilities of DCF, global admins can create exclusion lists to exclude accounts that sign in on Android-based shared Teams devices. If exclusions aren’t set, after sign-out, devices cannot re-authenticate with DCF, which means admins will lose their ability to remotely sign in and manage devices. The screenshot below is an example of how to view the policy for your tenant in the Microsoft Entra admin center.

The exclusion lists for this policy should be created by tenants that have deployed Android-based Teams devices in shared spaces like:

• Microsoft Teams Rooms on Android front-of-room displays and consoles
• IP Phones (licensed as Teams Shared Devices)
• Panels
• Displays

Resources:

• Read this blog post to learn more about potential security threats to accounts using DCF authentication from the Microsoft Entra team: New Microsoft-managed policies to raise your identity security posture | Microsoft Community Hub
• Learn how to create exclusion lists and how to customize the Microsoft-managed policy according to the tenants’ specific needs here: Users and groups in Conditional Access policy – Microsoft Entra ID | Microsoft Learn
• View the policies list in Microsoft Entra admin center: Conditional Access – Microsoft Entra admin center