Query Details

Device Code Flow Authentication Abuse

05 Device Code Flow Abuse

Query

AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where AuthenticationProtocol == "deviceCode"
   or   ClientAppUsed has_any ("device code", "device_code", "Device Code")
| summarize
    Count     = count(),
    IPs       = make_set(IPAddress),
    Countries = make_set(Location),
    Apps      = make_set(AppDisplayName),
    FirstSeen = min(TimeGenerated),
    LastSeen  = max(TimeGenerated)
  by UserPrincipalName
| extend IPAddress = tostring(IPs[0])
| order by Count desc

Explanation

This query is designed to detect suspicious sign-ins using the "device code flow" authentication protocol, which is often exploited in phishing attacks. Here's a simple breakdown:

  • Purpose: It identifies non-interactive sign-ins that use the device code flow, which can be abused by attackers to gain unauthorized access through phishing.
  • Severity: The alert is marked as high severity due to the potential for abuse.
  • Data Source: It uses logs from Azure Active Directory, specifically focusing on non-interactive user sign-in logs.
  • Frequency: The query runs every hour and looks at data from the past hour.
  • Detection Logic:
    • It filters sign-in logs to find entries where the authentication protocol is "deviceCode" or similar terms.
    • It then summarizes the data by counting occurrences, listing unique IP addresses, countries, and applications involved, and noting the first and last times the activity was seen.
    • The results are sorted by the number of occurrences.
  • Alerting:
    • If any suspicious activity is detected, an alert is generated with details about the user and the number of sign-ins.
    • The alert includes information about the potential for phishing attacks and the misuse of refresh tokens.
  • Incident Management:
    • An incident is created for each alert, and similar alerts are grouped by user account to manage them efficiently.

Overall, this query helps security teams monitor and respond to potential phishing attacks that exploit the device code flow authentication method.

Details

David Alonso profile picture

David Alonso

Released: May 29, 2026

Tables

AADNonInteractiveUserSignInLogs

Keywords

DeviceAuthenticationProtocolMicrosoftTokenPhishingUserAccountIPAddressLocationAppNameTime

Operators

whereorhas_anysummarizecountmake_setminmaxbyextendtostringorder bydesc

Severity

High

Tactics

CredentialAccessInitialAccess

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub