Entra Disable LID/IoT SignIn

12th May 2026

Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
Browse to Entra ID > Conditional Access > Policies.
Select New policy.
Under Assignments, select Users or workload identities.

Under Include, select the users you want to be in-scope for the policy (all users recommended).
Under Exclude:
    Select Users and groups and choose your organization's emergency access or break-glass accounts and any other necessary users. Audit this exclusion list regularly.

Under Target resources > Resources (formerly cloud apps) > Include, select the apps you want to be in-scope for the policy (All resources (formerly ‘All cloud apps’) recommended).
Under Conditions > Authentication Flows, set Configure to Yes.

Select Device code flow.
Select Done.

Under Access controls > Grant, select Block access.

Select Select.

Confirm your settings and set Enable policy to Report-only.
Select Create to enable your policy.

Require MFA to register a new Device