MODIFIED docs/identity/conditional-access/policy-teams-devices-device-code-flow.md

Modified by Anna Huff on May 28, 2026 8:53 PM
📖 View on learn.microsoft.com

+2 / -2 lines changed

Commit: Apply suggestions from PR review

Changes:

Before

After

Under **Assignments**, select **Users or workload identities**.
Under **Include**, select the users you want in scope for the policy (**All users** recommended).
Under **Exclude**:
        1. Select **Users and groups** and choose your organization's emergency access or break-glass accounts and your approved device code flow exception groups. Audit this exclusion list regularly.
Under **Target resources** > **Resources (formerly cloud apps)**:
Under **Include**, select **All resources (formerly 'All cloud apps')** unless your organization validated a narrower resource scope for the scenario.
Under **Exclude**, select **Select excluded cloud apps** and add **Device Registration Service**. This exclusion is required so device registration through device code flow isn't blocked by your policy. For more information, see [Enforcement of Authentication Flows policies on Device Registration Service resource](concept-authentication-flows.md#enforcement-of-authentication-flows-policies-on-device-registration-service-resource).
Select **Device code flow**.
Select **Done**.
Under **Access controls** > **Grant**, select **Block access**.
Select **Select**.
Confirm your settings and set **Enable policy** to **Report-only**.
Select **Create** to enable your policy.
 

Under **Assignments**, select **Users or workload identities**.
Under **Include**, select the users you want in scope for the policy (**All users** recommended).
Under **Exclude**:
        - Select **Users and groups** and choose your organization's emergency access or break-glass accounts and your approved device code flow exception groups. Audit this exclusion list regularly.
Under **Target resources** > **Resources (formerly cloud apps)**:
Under **Include**, select **All resources (formerly 'All cloud apps')** unless your organization validated a narrower resource scope for the scenario.
Under **Exclude**, select **Select excluded cloud apps** and add **Device Registration Service**. This exclusion is required so device registration through device code flow isn't blocked by your policy. For more information, see [Enforcement of Authentication Flows policies on Device Registration Service resource](concept-authentication-flows.md#enforcement-of-authentication-flows-policies-on-device-registration-service-resource).
Select **Device code flow**.
Select **Done**.
Under **Access controls** > **Grant**, select **Block access**.
    - Select **Select**.
Confirm your settings and set **Enable policy** to **Report-only**.
Select **Create** to enable your policy.
 

MODIFIED docs/identity/conditional-access/managed-policies.md

Modified by Ken Withee on May 28, 2026 8:14 PM
📖 View on learn.microsoft.com

+3 / -1 lines changed

Commit: Link MMP Block device code flow section to Teams devices guidance (AB#581861)

Changes:

Before

After

ms.service: entra-id
ms.subservice: conditional-access
ms.topic: concept-article
ms.date: 03/24/2026
ms.reviewer: swethar
ms.custom: sfi-image-nochange
---
 
Device code flow is rarely used by customers, but is frequently used by attackers. Enabling this Microsoft-managed policy for your organization helps remove this attack vector.
 
### Multifactor authentication for admins accessing Microsoft Admin portals
 
This policy covers [14 admin roles](#what-administrator-roles-are-covered-by-these-policies) that are highly privileged, who access the [Microsoft Admin Portals](policy-old-require-mfa-admin-portals.md), and requires them to perform multifactor authentication.
 
 

ms.service: entra-id
ms.subservice: conditional-access
ms.topic: concept-article
ms.date: 05/28/2026
ms.reviewer: swethar
ms.custom: sfi-image-nochange
---
 
Device code flow is rarely used by customers, but is frequently used by attackers. Enabling this Microsoft-managed policy for your organization helps remove this attack vector.
 
If your organization uses Microsoft Teams devices that require device code flow, follow the guidance in [Restrict device code flow for Microsoft Teams devices with Conditional Access](policy-teams-devices-device-code-flow.md) to scope exceptions correctly while continuing to block device code flow for other accounts.
 
### Multifactor authentication for admins accessing Microsoft Admin portals
 
This policy covers [14 admin roles](#what-administrator-roles-are-covered-by-these-policies) that are highly privileged, who access the [Microsoft Admin Portals](policy-old-require-mfa-admin-portals.md), and requires them to perform multifactor authentication.

MODIFIED docs/external-id/customers/concept-supported-features-customers.md

Modified by garrodonnell on May 28, 2026 6:36 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: Add passkey (FIDO2) to MFA methods list for external tenant

Changes:

Before

After

| Feature | Workforce tenant | External tenant |
| ------- | ---------------- | --------------- |
| Identity providers for external users (primary authentication) | For self-service sign-up guests:<ul><li>Microsoft Entra accounts</li><li>Microsoft accounts</li><li>Emailed one-time passcode</li><li>Google federation</li><li>Facebook federation</li></ul></br>For invited guests:<ul><li>Microsoft Entra accounts</li><li>Microsoft accounts</li><li>Emailed one-time passcode</li><li>Google federation</li><li>SAML/WS-Fed federation</li></ul> | For self-service sign-up users (consumers, business customers):<ul><li>[Authentication methods available in External ID](#authentication-methods-available-in-external-id)</li></ul></br>For invited guests (preview) via a directory role (for example, admins):<ul><li>Microsoft Entra accounts</li><li>Microsoft accounts</li><li>[Emailed one-time passcode](./concept-authentication-methods-customers.md#email-with-one-time-passcode-sign-in)</li><li>[SAML/WS-Fed federation](../direct-federation.md)</li></ul></br> You can invite external users for administrative purposes only. You can't use this feature to invite customers to sign in to your apps. This feature isn't compatible with customer identity and access management (CIAM) user flows. |
| Authentication methods for MFA | For internal users (employees and admins):<ul><li>[Authentication and verification methods](~/identity/authentication/overview-authentication.md)</li></ul></br>For guests (invited or self-service sign-up):<ul><li>[Authentication methods for guest MFA](../authentication-conditional-access.md#table-1-authentication-strength-mfa-methods-for-external-users)</li></ul> | For self-service sign-up users (consumers, business customers):<ul><li>[Authentication methods available in External ID](#authentication-methods-available-in-external-id)</li></ul></br>For invited users (preview):<ul><li>[Emailed one-time passcode](concept-multifactor-authentication-customers.md#email-one-time-passcode)</li><li>[SMS-based authentication](concept-multifactor-authentication-customers.md#sms-based-authentication)</li></ul> |
 
### Authentication methods available in External ID
 

| Feature | Workforce tenant | External tenant |
| ------- | ---------------- | --------------- |
| Identity providers for external users (primary authentication) | For self-service sign-up guests:<ul><li>Microsoft Entra accounts</li><li>Microsoft accounts</li><li>Emailed one-time passcode</li><li>Google federation</li><li>Facebook federation</li></ul></br>For invited guests:<ul><li>Microsoft Entra accounts</li><li>Microsoft accounts</li><li>Emailed one-time passcode</li><li>Google federation</li><li>SAML/WS-Fed federation</li></ul> | For self-service sign-up users (consumers, business customers):<ul><li>[Authentication methods available in External ID](#authentication-methods-available-in-external-id)</li></ul></br>For invited guests (preview) via a directory role (for example, admins):<ul><li>Microsoft Entra accounts</li><li>Microsoft accounts</li><li>[Emailed one-time passcode](./concept-authentication-methods-customers.md#email-with-one-time-passcode-sign-in)</li><li>[SAML/WS-Fed federation](../direct-federation.md)</li></ul></br> You can invite external users for administrative purposes only. You can't use this feature to invite customers to sign in to your apps. This feature isn't compatible with customer identity and access management (CIAM) user flows. |
| Authentication methods for MFA | For internal users (employees and admins):<ul><li>[Authentication and verification methods](~/identity/authentication/overview-authentication.md)</li></ul></br>For guests (invited or self-service sign-up):<ul><li>[Authentication methods for guest MFA](../authentication-conditional-access.md#table-1-authentication-strength-mfa-methods-for-external-users)</li></ul> | For self-service sign-up users (consumers, business customers):<ul><li>[Emailed one-time passcode](concept-multifactor-authentication-customers.md#email-one-time-passcode)</li><li>[SMS-based authentication](concept-multifactor-authentication-customers.md#sms-based-authentication)</li><li>[Passkey (FIDO2)](how-to-sign-in-with-passkey.md)</li></ul></br>For invited users (preview):<ul><li>[Emailed one-time passcode](concept-multifactor-authentication-customers.md#email-one-time-passcode)</li><li>[SMS-based authentication](concept-multifactor-authentication-customers.md#sms-based-authentication)</li></ul> |
 
### Authentication methods available in External ID
 

MODIFIED docs/security-copilot/conditional-access-agent-optimization-knowledge-base.md

Modified by Diana Richards on May 28, 2026 2:21 PM
📖 View on learn.microsoft.com

+1 / -1 lines changed

Commit: acrolinx

Changes:

Before

After

- Contractors are governed by their own policies separate from the baseline
 
If your Conditional Access strategy applies certain policies to full-time employees, describe how full-time employees are defined. For example, are these employees defined with specific user attributes or group membership? 
Be explicit. If the your person-based policy design is based on roles, provide the exact Microsoft Entra ID built-in roles. For example, say "Conditional Access Administrator" not "users with administrative privileges".
 
### Policy naming conventions

- Contractors are governed by their own policies separate from the baseline
 
If your Conditional Access strategy applies certain policies to full-time employees, describe how full-time employees are defined. For example, are these employees defined with specific user attributes or group membership? 
Be explicit. If your person-based policy design is based on roles, provide the exact Microsoft Entra ID built-in roles. For example, say "Conditional Access Administrator" not "users with administrative privileges".
 
### Policy naming conventions

📋 Microsoft Entra Documentation Changes

📊 Summary

📝 Modified Documentation Files