Blocking Device Code Flow for Teams Room Android Environments

In today’s identity-first security landscape, organizations must continuously evaluate and tighten their authentication methods. One such method under scrutiny is device code flow (DCF), a legacy authentication flow that, while useful in certain scenarios, can pose security risks if left unchecked. At the same time, disabling DCF tenant wide can be inconvenient for organizations who have deployed Teams Room on Android devices (MTRA) as DCF presents a convenient method of signing in to Teams on these devices, while also allowing for remote provisioning. Fortunately, Microsoft Entra provides a powerful way to manage and restrict this flow using Conditional Access policies while excluding MTRA devices from this restriction. In this blogpost, we walk through the steps on how to secure legacy login methods while allowing MTRA devices to continue to enjoy the capabilities of DCF.

What is Device Code Flow—and Why Block It?
Device code flow is an OAuth 2.0 authentication method designed for devices with limited input capabilities (e.g., smart TVs or CLI tools). While it enables sign-in without a browser, it lacks modern security protections like phishing-resistant MFA and device compliance checks.
Microsoft recommends blocking or restricting device code flow wherever possible to bolster your security posture. If your organization doesn’t rely on this flow, it’s best to disable it entirely. At the same time, DCF allows for Teams Room on Android devices to be provisioned remotely as well as an simple method for signing into Teams on these devices. For MTRA devices the DCF login screen below should be a familiar scene:

What we want to achieve in this blogpost is to secure DCF from the rest of the organization while still allowing Teams Room Android devices to leverage DCF for sign-in and remote provisioning. To begin, we first want to create a security group to contain all the MTRA devices in the tenant. We can obviously create a security group in Azure AD and manually add all the devices, but a better method would be to use an Azure AD dynamic security group that will always be updated with newly added or removed over time. In the EntraID admin center, we go to Entra ID -> Manage -> Groups ->New Group window, we select the "Security" Group type, give the Group a name and description, and select "Dynamic Device" for Membership Type as shown below:

Next we need to click on "Edit dynamic query" to specify the attributes of the group that will match the MTRA devices deployed in the tenant. In the example below, the attributes matching the HP Poly family of Gen1 and Gen2 Teams Room Android devices are specified:

The Rule Syntax is as follows:

(device.deviceManufacturer -eq "Poly") and (device.deviceModel -in ["PolyStudioG62","PolyStudioX72","PolyStudioX52","PolyStudioX32","PolyStudioX70","PolyStudioX50","PolyStudioX30","PolyG7500","PolyTC10","PolyTC8"])

To verify that the attributes are properly matched, we can go to the newly created group and click on Manage -> Members and there should be a list of devices that are shown (assuming) that there are actually HP Poly MTRA devices deployed in the tenant:

The next step is to create a Conditional Access policy in inTune/MEM portal and navigate to Devices -> Manage Devices -> Conditional Access and then click on "Create new policy:

We give the new policy a name, then under Assignments, select Users or workload identities.Under Include, select the users you want to be in-scope for the policy (all users recommended). Under Exclude: Select Users and groups and choose the newly created dynamic group. Note that this exclusion list should be audited regularly to make sure it only contains the MTRA devices. 

Under Target resources > Resources -> Include select All resources, Under Conditions > Authentication Flows, set Configure to Yes.
Select Device code flow then Select Done.Under Access controls > Grant, select Block access and Select Select. Confirm your settings and set Enable policy to Report-only. Finally Select Create to create to enable your policy.

And now the policy is created. DCF login will be blocked for all users except for Teams Room Android devices from HP Poly. Before enforcing the block, we use Report-only mode to monitor how the policy would affect users. This helps identify dependencies and avoid disruptions.

Conclusion
Blocking legacy authentication flows like device code flow is a proactive step toward a zero trust security model. With Microsoft Entra’s Conditional Access, you gain granular control over how users authenticate, ensuring only secure, compliant methods are used.
If you're not already auditing or restricting device code flow, now is the time to start.