Microsoft Teams Devices Get New Policy to Block DCF Authentication Risks
This policy will help prevent phishing and token theft.
Published: Apr 08, 2025
Key Takeaways:
- The new Microsoft managed policy blocks Device Code Flow (DCF) authentication by default for Teams devices.
- This policy will help organizations mitigate phishing and token theft risks.
- It will initially run in report-only mode.
Microsoft has rolled out a new managed policy for Microsoft Teams devices. This policy is aimed at strengthening the security of accounts that use Device Code Flow (DCF) authentication.
Device Code Flow (DCF) authentication is a method used for devices with limited input capabilities or that don’t have a browser. It involves the device generating a code that the user enters on a separate device with a browser. This separate device then communicates with the authentication server to verify the code and complete the authentication process, which grants access to the original device.
What risks does DCF authentication pose to Microsoft Teams devices?
Microsoft has warned that Device Code Flow (DCF) poses security risks, including phishing attacks where attackers trick users into completing the authentication process to steal access tokens. To mitigate these threats, Microsoft is rolling out a new policy that will automatically block DCF by default for customers who haven’t used it within the past 25 days.
Initially, the new policies will be in report-only mode, meaning they won’t be enforced right away but will give IT admins insight into their potential impact. Administrators will have several days to review and configure the policies before enforcement begins. To ensure a smooth rollout, especially in environments using shared Android devices, Microsoft recommends configuring exclusion lists to prevent disruptions.
“To ensure that admins are able to use the remote sign-in and management capabilities of DCF, global admins can create exclusion lists to exclude accounts that sign in on Android-based shared Teams devices. If exclusions aren’t set, after sign-out, devices cannot re-authenticate with DCF, which means admins will lose their ability to remotely sign in and manage devices,” Microsoft explained.
Microsoft advises organizations using Android-based Teams devices in shared environments (like Teams Rooms displays, consoles, IP phones, panels, and other shared devices) to create exclusion lists. This helps ensure these devices continue to function smoothly and aren’t disrupted by the new policy changes.
Last month, Microsoft Teams introduced several new capabilities to help businesses boost productivity in hybrid work environments. There is a new Live Chat feature that allows website visitors to chat with the customer support team in Microsoft Teams. Other updates include intelligent meeting recap support for webinars and town halls, a new Teams Rooms Pro Management portal, and more.