Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Blog Post

Microsoft Teams Blog

2 MIN READ

Policy changes for Microsoft Teams devices using device code flow authentication

Icon for Microsoft rank

Microsoft

Apr 01, 2025

First announced in February, Microsoft is rolling out a new Microsoft-managed policy to help further secure your tenants against potential threats to accounts using device code flow (DCF) authentication.

Rollout began in February and will continue until May. The policies will initially be created in report-only mode, allowing admins to review their impact before they’re enforced. You’ll have at least 45 days to evaluate and configure the policies before they’re automatically moved to the "On" state. We recommend taking action as soon as possible to create exclusion lists if you are using Android devices in shared spaces.

To ensure that admins are able to use the remote sign-in and management capabilities of DCF, global admins can create exclusion lists to exclude accounts that sign in on Android-based shared Teams devices. If exclusions aren't set, after sign-out, devices cannot re-authenticate with DCF, which means admins will lose their ability to remotely sign in and manage devices. The screenshot below is an example of how to view the policy for your tenant in the Microsoft Entra admin center.

Policy details for the tenant in the Microsoft Entra admin center

The exclusion lists for this policy should be created by tenants that have deployed Android-based Teams devices in shared spaces like:

Microsoft Teams Rooms on Android front-of-room displays and consoles
IP Phones (licensed as Teams Shared Devices)
Panels
Displays

Resources:

Read this blog post to learn more about potential security threats to accounts using DCF authentication from the Microsoft Entra team: New Microsoft-managed policies to raise your identity security posture | Microsoft Community Hub
Learn how to create exclusion lists and how to customize the Microsoft-managed policy according to the tenants' specific needs here: Users and groups in Conditional Access policy - Microsoft Entra ID | Microsoft Learn
View the policies list in Microsoft Entra admin center: Conditional Access - Microsoft Entra admin center

Updated Apr 01, 2025

Version 1.0

microsoft teams

Icon for Microsoft rank

Microsoft

Joined May 26, 2022

Microsoft Teams Blog

Welcome to the Microsoft Teams Blog! Learn best practices, news, and trends directly from the team behind Microsoft Teams.

SteveUlrichTE
Brass Contributor
Apr 07, 2025
Can it be assumed that if we do not see this preview policy in our tenant, that we have used device code flow authentication in the last 25 days, and therefore we are using device code flow authentication, and that we do not have to create an exclusion list?
Chris_TenAV
Copper Contributor
Apr 01, 2025
"The exclusion lists for this policy should be created by tenants that have deployed Android-based Teams devices in shared spaces"
They're not mentioned, but I take it the above also refers to Android-based MTR such as Logi Rallybar, Yealink meetingbar A30 and MeetingBoards used as resources with MTR licenses?

Share