Entra ID OAuth Device Code Grant by Unusual User

Last updated 22 days ago on 2025-12-10

Created a year ago on 2024-10-14

About

Identifies when a user is observed for the first time in the last 14 days authenticating using the device code authentication workflow. This authentication workflow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords.

Tags

Domain: CloudData Source: AzureData Source: Microsoft Entra IDUse Case: Identity and Access AuditTactic: Initial AccessLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Phishing (T1566)(external, opens in a new tab or window)

↳ Valid Accounts (T1078)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-azure.signinlogs-*logs-azure.activitylogs-*
Related Integrations: azure(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset:(azure.activitylogs or azure.signinlogs)
    and (
            azure.signinlogs.properties.authentication_protocol:deviceCode or
            azure.signinlogs.properties.original_transfer_method: "Device code flow" or
            azure.activitylogs.properties.authentication_protocol:deviceCode
        )
    and event.outcome:success

Install detection rules in Elastic Security

Detect Entra ID OAuth Device Code Grant by Unusual User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).