New Microsoft-managed policies to raise your identity security posture

As part of our ongoing commitment to enhance security and protect our customers from evolving cyber threats, we are excited to announce the rollout of two new Microsoft-managed Conditional Access polices designed to limit device code flow and legacy authentication flows. These policies are aligned to the secure by default principle of our broader Secure Future Initiative, which aims to provide robust security measures to safeguard your organization by default.

Why limit device code flow and legacy authentication?

Device code flow is a cross-device authentication flow designed for input-constrained devices. However, it can be exploited in phishing attacks, where an attacker initiates the flow and tricks a user into completing it on their device, thereby sending the user's tokens to the attacker. Given the security risks and the infrequent use of device code flow across our customer base, we are introducing a policy to block this flow by default for customers that have not used device code flow in the past 25 days.

Legacy authentication protocols, such as POP, SMTP, IMAP, and MAPI, do not support modern authentication methods like multifactor authentication (MFA), making them a target for attackers. Blocking legacy authentication is a critical step in reducing the attack surface and enhancing the overall security posture of your organization.

What to expect

Starting in February 2025, we’ll begin rolling out these new policies. The policies will initially be created in report-only mode, allowing you to review their impact before they’re enforced. Once created, you ‘ll have at least 45 days to evaluate and configure the policies before they’re automatically moved to the "On" state.

Call to action

To ensure these policies meet your organization's needs, we recommend taking the following actions after these policies are created in your tenant:

• Review the effects and benefits of the new policies.
• Customize the policies according to your specific needs.
• Monitor the reporting and make any necessary adjustments.
• When you’re ready move the policy to “On” state to proactively protect your organization.

Learn more

For more information on these policies and how to configure them, please review the Microsoft-managed policies documentation. If you have any questions or need assistance, please create a support request through the Microsoft Entra admin center.

By proactively implementing these policies, you've taken a crucial step in fortifying your organization against evolving security threats.

Nitika Gupta

Partner Group Product Manager

Learn more about Microsoft Entra

Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.

• ⁠Microsoft Entra News and Insights | Microsoft Security Blog
• ⁠⁠Microsoft Entra blog | Tech Community
• ⁠Microsoft Entra documentation | Microsoft Learn
• Microsoft Entra discussions | Microsoft Community