Data Source: Microsoft Entra ID | Detection.FYI

Entra ID Device Code Auth with Broker Client

Jan 22, 2025 · Domain: Cloud Data Source: Azure Data Source: Microsoft Entra ID Use Case: Identity and Access Audit Tactic: Credential Access Resources: Investigation Guide ·
Share on:

Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e).

Read More
First Occurrence of Entra ID Auth via DeviceCode Protocol

Jan 22, 2025 · Domain: Cloud Data Source: Azure Data Source: Microsoft Entra ID Use Case: Identity and Access Audit Tactic: Credential Access Resources: Investigation Guide ·
Share on:

Identifies when a user is observed for the first time in the last 14 days authenticating using the deviceCode protocol. The device code authentication flow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords.

Read More