Device Code Authentication

The Microsoft 365 provider can use device code authentication when interactive login isn’t possible directly within the application. This is useful for environments without a web browser or where the user cannot directly interact with a login prompt.

How Device Code Authentication Works

Request Device Code

The provider requests a device code from Microsoft Entra ID

Display Code

The provider displays a message with:

A unique code
A URL where the code should be entered

User Authentication

The user visits the URL on any device with a browser and enters the code

Complete Authentication

The user authenticates in the browser

Receive Token

The provider receives an access token once authentication is complete

Prerequisites

A Microsoft Entra ID tenant
Permissions to create an app registration in your tenant

Setup

Create App Registration

Create an app registration in Microsoft Entra ID

Configure Platform

Set “Mobile and desktop applications” as platform type
Add https://login.microsoftonline.com/common/oauth2/nativeclient as a redirect URI

Add API Permissions

Navigate to “API permissions”
Click “Add a permission” and select “Microsoft Graph”
Choose “Delegated permissions” (device code flow requires delegated permissions)
Add the necessary permissions
Click “Grant admin consent”

Provider Configuration

Environment Variables (Recommended)
Terraform Configuration

export M365_TENANT_ID="00000000-0000-0000-0000-000000000000"
export M365_AUTH_METHOD="device_code"
export M365_CLIENT_ID="00000000-0000-0000-0000-000000000000"

provider "microsoft365" {
  auth_method = "device_code"
}

provider "microsoft365" {
  auth_method = "device_code"
  tenant_id   = "00000000-0000-0000-0000-000000000000"
  entra_id_options = {
    client_id = "00000000-0000-0000-0000-000000000000"
  }
}

Usage Workflow

When you run Terraform with device code authentication, you’ll see a message similar to:

To sign in, use a web browser to open the page https://microsoft.com/devicelogin 
and enter the code ABC123XYZ to authenticate.

Open Browser

Open the URL in any web browser

Enter Code

Enter the code displayed in your terminal

Continue

Terraform will continue once authentication is complete

Use Cases

Device code authentication is ideal for:

CI/CD Pipelines

CI/CD pipelines with manual intervention

No Browser Environments

Environments without a web browser

Remote Terminals

Remote terminals or SSH sessions

Limited Redirection

Scenarios where redirection to a local web server isn’t possible

Security Considerations

Important Security Notes

Device code authentication requires user interaction for each token acquisition
The default token lifetime is one hour
For automated processes, consider using client secret, certificate, or OIDC authentication instead
This authentication method grants permissions based on the authenticated user’s privileges

Troubleshooting

Code expired

If you don’t authenticate within the time limit (typically 15 minutes), you’ll need to restart the process.

Permission denied

Ensure you’ve granted admin consent for the required permissions in your app registration.

No code displayed

Verify your terminal can display output from the provider. Check that stdout is not being redirected.

Getting Started

Authentication

Configuration

Core Concepts

Guides

How Device Code Authentication Works

Prerequisites

Setup

Provider Configuration

Usage Workflow

Use Cases

CI/CD Pipelines

No Browser Environments

Remote Terminals

Limited Redirection

Security Considerations

Troubleshooting

Build docs developers (and LLMs) love

Getting Started

Authentication

Configuration

Core Concepts

Guides

​How Device Code Authentication Works

​Prerequisites

​Setup

​Provider Configuration

​Usage Workflow

​Use Cases

CI/CD Pipelines

No Browser Environments

Remote Terminals

Limited Redirection

​Security Considerations

​Troubleshooting

Build docs developers (and LLMs) love

How Device Code Authentication Works

Prerequisites

Setup

Provider Configuration

Usage Workflow

Use Cases

Security Considerations

Troubleshooting