Friday, September 8, 2023

Token protection in Microsoft Entra Conditional Access


 Token safeguarding, also known as token binding within the industry, aims to diminish the vulnerability to attacks involving token theft. It achieves this by guaranteeing that a token remains functional exclusively on the designated device. In instances where a malicious actor manages to pilfer a token through tactics like hijacking or replay, they gain the ability to impersonate their target until the token's expiration or revocation. Although token theft is perceived as a relatively infrequent occurrence, its potential consequences can be substantial.

Token protection establishes a cryptographically robust connection between the token and the device (referred to as the client secret) for which it was issued. In the absence of the client secret, the tethered token becomes ineffectual.


This preview supports the following configurations for access to resources with Token Protection conditional access policies applied:

  • Windows 10 or newer devices that are Azure AD joined, hybrid Azure AD joined, or Azure AD registered.
  • OneDrive sync client version 22.217 or later
  • Teams native client version or later
  • Power BI desktop version 2.117.841.0 (May 2023) or later
  • Visual Studio 2022 or later when using the 'Windows authentication broker' Sign-in option
  • Office Perpetual clients aren't supported

Known limitations

  • External users (Azure AD B2B) aren't supported and shouldn't be included in your Conditional Access policy.
  • The following applications don't support signing in using protected token flows and users are blocked when accessing Exchange and SharePoint:
  • PowerShell modules accessing Exchange, SharePoint, or Microsoft Graph scopes that are served by Exchange or SharePoint
  • PowerQuery extension for Excel
  • Extensions to Visual Studio Code which access Exchange or SharePoint
  • The new Teams 2.1 preview client gets blocked after sign out due to a bug. This bug should be fixed in a future service update.
  • The following Windows client devices aren't supported:
  • Windows Server
  • Surface Hub
  • Windows-based Microsoft Teams Rooms (MTR) systems

Licensing requirements

  • Using this feature requires Azure AD Premium P2 licenses.

Create the Conditional Access Policy 

Login the Microsoft Entra Conditional Access policy 

Token Theft Simulation

Numerous methods are at your disposal for testing this scenario, and I will be utilizing the tokentactics tool.

after downloading extract the File and run below commend in powershell.

#set the location - i have save it on the C drive
Set-Location C:\TokenPhish

#Set execytion to unrestricted
Set-ExecutionPolicy Unrestricted

#import the Token Tactics Modules 
Import-Module .\TokenTactics.psd1

#initiate the Tocken phising
Get-AzureToken -Client Outlook

Share this URL with and the code and ask to sign it. 

Select the user

Sign it is blocked

Check from the sign in logs 


Post a Comment