Detections identify a Microsoft 365 OAuth device code grant (Cmsi:Cmsi) initiated by a user on a non-compliant device for the first time within a configurable historical window, independent of the application or target resource. In device-code phishing campaigns, attackers prompt the user to complete login at the genuine Microsoft endpoint and poll the token endpoint, so MFA is satisfied for the attacker. The alert fires when o365.audit.ExtendedProperties.RequestType equals Cmsi:Cmsi and o365.audit.DeviceProperties.Value equals False, signaling a non-compliant device. The rule is application-agnostic, capturing device-code grants against any first-party or third-party app. The history window is configurable to detect first-time occurrences within the lookback period. MITRE ATT&CK mappings include T1078 (Cloud Accounts) and T1566 (Phishing) with T1566.002 (Spearphishing Link), and T1550.001 (Use Alternate Authentication Material) under Defense Evasion. The rule supports investigation steps (checking UserId, DeviceProperties, ApplicationId/Target, origin networking, and related Azure AD/Graph activity) and remediation guidance (token revocation, device registrations review, enforcing Conditional Access to require compliant devices). It integrates with Microsoft 365 audit logs and carries a medium severity with a risk score of 47.