Your Device Code Flow Alert Fires on Every az login. The Signal Is the Broker Token, Not the Prompt
Device code phishing doesn’t defeat MFA — it redirects a legitimately MFA-completed sign-in — and the naive detection drowns in legitimate CLI traffic. The durable signal is the Authentication Broker redemption and the device registration that follows, and the real fix is a Conditional Access authentication-flows block.