maester365
🪲 MT.1052 - Device Code Flow showing fail but included in an policy targeting both Auth Transfer and Device Code Flow
Describe the bug
Device Code Flow Test showing no conditional access policy that targets but I have targeted both device code flow and auth transfer in the same policy to all users (excluding breakglass)
To Reproduce
have CA above, run Maester
Expected behavior
Test should pass as Auth Flows counts as an OR not an AND
Hey @jkerai1 I am unable to repro the issue you are seeing. Here is the policy I am testing with and the test passing successfully even when both are selected.
I believe this bug may have been fixed in an update a few weeks ago in the preview build.
Can you share the json for your policy if you are still having issues so we can try to reproduce the issue.
{
"id": "db2153a1-40a2-457f-917c-c280b204b5cd",
"templateId": null,
"displayName": "Block Device Code",
"createdDateTime": "2024-02-28T00:22:50.2432777Z",
"modifiedDateTime": "2025-10-23T02:41:26.4260669Z",
"state": "enabled",
"deletedDateTime": null,
"partialEnablementStrategy": null,
"sessionControls": null,
"conditions": {
"userRiskLevels": [],
"signInRiskLevels": [],
"clientAppTypes": [
"all"
],
"platforms": null,
"locations": null,
"times": null,
"deviceStates": null,
"devices": null,
"clientApplications": null,
"applications": {
"includeApplications": [
"All"
],
"excludeApplications": [],
"includeUserActions": [],
"includeAuthenticationContextClassReferences": [],
"applicationFilter": null
},
"users": {
"includeUsers": [
"All"
],
"excludeUsers": [
"e436ca15-3a39-4dcc-819e-7dbb246cd46b",
"ceef37b7-c865-48fb-80c9-4def11201854",
"513f3db2-044c-41be-af14-431bf88a2b3e",
"2d79a82a-ae19-461a-a0aa-807045ec3c4e",
"babe04c9-8340-4329-a727-a8cee0cd2b1a"
],
"includeGroups": [],
"excludeGroups": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": null,
"excludeGuestsOrExternalUsers": null
},
"authenticationFlows": {
"transferMethods": "deviceCodeFlow,authenticationTransfer"
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
],
"customAuthenticationFactors": [],
"termsOfUse": [],
"[email protected]": "https://graph.microsoft.com/beta/$metadata#identity/conditionalAccess/policies('db2153a1-40a2-457f-917c-c280b204b5cd')/grantControls/authenticationStrength/$entity",
"authenticationStrength": null
}
}
Ran again today same issue
{"CA003-Global-AttackSurfaceReduction-AnyApp-AnyPlatform-Block-AuthFlows","createdDateTime":"2025-07-14T10:13:28.9575735Z","modifiedDateTime":"2025-10-24T10:17:01.2527756Z","state":"enabled","deletedDateTime":null,"partialEnablementStrategy":null,"sessionControls":null,"conditions":{"userRiskLevels":[],"signInRiskLevels":[],"clientAppTypes":["all"],"platforms":null,"locations":null,"times":null,"deviceStates":null,"devices":null,"clientApplications":null,"applications":{"includeApplications":["All"],"excludeApplications":[],"includeUserActions":[],"includeAuthenticationContextClassReferences":[],"applicationFilter":null},"users":{"includeUsers":["All"],"excludeUsers":["fc8666d4-67ed-465e-b6bd-0b3071b79293","bd1cb258-2cdc-418b-8d52-ff7e56456d98"],"includeGroups":[],"excludeGroups":[],"includeRoles":[],"excludeRoles":[],"includeGuestsOrExternalUsers":null,"excludeGuestsOrExternalUsers":null},"authenticationFlows":{"transferMethods":"deviceCodeFlow,authenticationTransfer"}},"grantControls":{"operator":"OR","builtInControls":["block"],"customAuthenticationFactors":[],"termsOfUse":[],"[email protected]":"https://graph.microsoft.com/beta/$metadata#policies/conditionalAccessPolicies('636f729c-ca4e-4401-b51d-1da51d729a29')/grantControls/authenticationStrength/$entity","authenticationStrength":null}}
Hey @jkerai1 can you try running it on the latest version (1.13.102-preview).
Here is the command to install the latest version.
Install-Module -Name Maester -AllowPrerelease