> For the complete documentation index, see [llms.txt](https://docs.bsure.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.bsure.io/support/frequently-asked-questions/device-code-flow-in-the-bsure-installation-process.md).

# Device Code Flow in the Bsure Installation Process

### What It Is <a href="#id-1-what-it-is" id="id-1-what-it-is"></a>

The **Device Code Flow** is a way of logging in to Microsoft systems when the machine you’re using doesn’t have a normal web browser.\
Instead of opening a login window, the system shows you a short code. You then go to [microsoft.com/devicelogin](https://microsoft.com/devicelogin) on your phone or computer, type in the code, and approve the login. Once you’re done, the headless system (for example, a container or the Azure web console) gets the access it needs.

Think of it like *authorizing a smart TV to use Netflix*: the TV shows you a code, you approve it on your phone, and then the TV is trusted.

***

### Where It’s Useful <a href="#id-2-where-its-useful" id="id-2-where-its-useful"></a>

* **Azure Web Console / Cloud Shell**: This environment comes with preinstalled tools (Azure CLI, PowerShell, SDKs). It can’t open login pop-ups, so Device Code Flow is the only simple way to sign in.
* **Containers and CI/CD pipelines**: Automated jobs that need secure, temporary access to Azure.
* **Headless servers or IoT devices**: Machines without a screen or browser.

***

### Why Companies Use It <a href="#id-3-why-companies-use-it" id="id-3-why-companies-use-it"></a>

* **Enables access on headless systems**: Solves the problem of “no browser available.”
* **No passwords saved**: Users don’t type credentials directly on servers or containers.
* **Built-in security**: Works with Microsoft’s MFA, Conditional Access, and compliance rules.
* **Short-lived codes**: Each login code expires within minutes.

***

### The Risks <a href="#id-4-the-risks" id="id-4-the-risks"></a>

* **Tricking users**: Someone could try to get an employee to enter a code for a malicious app.
* **Token theft**: If a server is compromised, access tokens could be stolen.
* **Overuse**: If broadly enabled, attackers could abuse it from untrusted systems.

***

### How to Reduce the Risks <a href="#id-5-how-to-reduce-the-risks" id="id-5-how-to-reduce-the-risks"></a>

#### Time-Limited Access <a href="#time-limited-access" id="time-limited-access"></a>

* Use **Conditional Access** to enforce strict rules:
  * Normally block Device Code Flow.
  * If needed, allow short exemptions (e.g., 1–4 hours).
  * Require approvals and log these exceptions.

#### Trusted Devices Only <a href="#trusted-devices-only" id="trusted-devices-only"></a>

* Employees should only log in using Device Code Flow from a **trusted, company-managed device**.
* Prevent unmanaged personal laptops or phones from being used to approve logins.

#### Extra Safety Measures <a href="#extra-safety-measures" id="extra-safety-measures"></a>

* Give access **just-in-time** — only when someone actually needs it.
* Monitor Microsoft Entra ID sign-in logs for unusual behavior.

***

### Best Practice: Group-Based Temporary Access <a href="#id-6-best-practice-group-based-temporary-access" id="id-6-best-practice-group-based-temporary-access"></a>

Microsoft provides governance tools to make temporary access safer and easier to manage:

* **Use Azure AD Privileged Identity Management (PIM)**:
  * Place users who may need Device Code Flow into a dedicated security group.
  * Configure this group for **eligible, time-bound membership** rather than permanent membership.
  * Example: a developer can request 2 hours of membership in the “Device Code Flow Exception” group.
* **Tie Conditional Access policies to this group**:
  * Only members of the group can bypass the default “block Device Code Flow” policy.
  * Once their membership expires, they automatically lose access.
* **Benefits**:
  * Reduces standing privileges.
  * Provides an approval workflow for exceptions.
  * Creates an audit trail of who had access, when, and why.

This approach ensures Device Code Flow is available **only when business-justified**, and **automatically revoked** after the time window closes.

***

### Why This Matters for Azure Web Console (and the Bsure Installation Process) <a href="#id-7-why-this-matters-for-azure-web-console-and-the-bsure-installation-process" id="id-7-why-this-matters-for-azure-web-console-and-the-bsure-installation-process"></a>

* The **Azure Web Console** is a perfect example of a headless environment.
* It comes with all the right tools preinstalled (CLI, PowerShell), but it cannot pop up a login window.
* Device Code Flow is the **only practical login method** there.
* When combined with **time-bound access rules, trusted devices, and group-based temporary memberships**, it stays both **useful** and **secure**.

***

### Why This Approach Works <a href="#id-8-why-this-approach-works" id="id-8-why-this-approach-works"></a>

By requiring:\
\- Device Code Flow to be **off by default**.\
\- **Short-term exemptions only**, managed through group-based temporary access.\
\- Use of **trusted devices**.

…companies can use Device Code Flow safely. It becomes a **special tool for special cases**, not a wide-open login method.

***

### Glossary of Key Terms <a href="#id-9-glossary-of-key-terms" id="id-9-glossary-of-key-terms"></a>

* **Headless system**: A machine without a screen or browser (e.g., server, container).
* **Conditional Access**: Microsoft’s policy engine to decide when and how users can log in.
* **Trusted device**: A company-managed, compliant computer or phone that meets security rules.
* **MFA (Multi-Factor Authentication)**: Logging in with more than one proof (like password + phone approval).
* **Token**: A digital “key” Microsoft issues that proves you’re allowed to access something.
* **Privileged Identity Management (PIM)**: Microsoft tool for granting **just-in-time, time-limited group memberships** to reduce standing privileges.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.bsure.io/support/frequently-asked-questions/device-code-flow-in-the-bsure-installation-process.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.