Device Code Flow Authentication Abuse
05 Device Code Flow Abuse
Query
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol == "deviceCode"
or ClientAppUsed has_any ("device code", "device_code", "Device Code")
| summarize
Count = count(),
IPs = make_set(IPAddress),
Countries = make_set(Location),
Apps = make_set(AppDisplayName),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| order by Count descExplanation
This query is designed to detect suspicious sign-ins using the "device code flow" authentication protocol, which is often exploited in phishing attacks. Here's a simple breakdown:
- Purpose: It identifies non-interactive sign-ins that use the device code flow, which can be abused by attackers to gain unauthorized access through phishing.
- Severity: The alert is marked as high severity due to the potential for abuse.
- Data Source: It uses logs from Azure Active Directory, specifically focusing on non-interactive user sign-in logs.
- Frequency: The query runs every hour and looks at data from the past hour.
- Detection Logic:
- It filters sign-in logs to find entries where the authentication protocol is "deviceCode" or similar terms.
- It then summarizes the data by counting occurrences, listing unique IP addresses, countries, and applications involved, and noting the first and last times the activity was seen.
- The results are sorted by the number of occurrences.
- Alerting:
- If any suspicious activity is detected, an alert is generated with details about the user and the number of sign-ins.
- The alert includes information about the potential for phishing attacks and the misuse of refresh tokens.
- Incident Management:
- An incident is created for each alert, and similar alerts are grouped by user account to manage them efficiently.
Overall, this query helps security teams monitor and respond to potential phishing attacks that exploit the device code flow authentication method.
Details

David Alonso
Released: May 29, 2026
Tables
AADNonInteractiveUserSignInLogs
Keywords
DeviceAuthenticationProtocolMicrosoftTokenPhishingUserAccountIPAddressLocationAppNameTime
Operators
whereorhas_anysummarizecountmake_setminmaxbyextendtostringorder bydesc
Severity
HighTactics
CredentialAccessInitialAccess
Frequency: 1h
Period: 1h