New Conditional Access Token Theft Protection : Secure your Microsoft 365 Sign-ins

Overview

In today’s cloud-first environment, securing authentication sessions is more critical than ever. Even if your users log in with strong credentials and MFA, a stolen authentication token can allow attackers to bypass authentication altogether.

Microsoft’s Token Theft Protection available through Conditional Access mitigates this risk by binding sign-in tokens to a specific device’s TPM (Trusted Platform Module). This means that even if an attacker steals the token, it cannot be reused on another device.

In this article, we’ll explore what Token Theft Protection is, its prerequisites, and how to configure it in Microsoft Entra Conditional Access.

How Token Theft Protection Works

When a user signs in, Microsoft Entra ID issues a Primary Refresh Token (PRT) used for Single Sign-On (SSO). Normally, if an attacker can copy this token (e.g., via malware or browser session hijacking), they can replay it to gain access without re-authenticating.

With Token Theft Protection enabled :

• The PRT is cryptographically bound to the TPM of the user’s device.
• If the token is replayed from a different device or without TPM validation, access is denied.
• This protection applies to supported applications and platforms.

Prerequisites

Before enabling this feature, ensure :

• Licensing : Microsoft Entra ID P1 or P2 license (P2 recommended).
• Applications : Currently supported in Microsoft 365 apps such as Exchange Online, SharePoint Online, Teams, and Office.
• Browsers : Microsoft Edge (latest version), Google Chrome or applications using WebView2.
• Authentication : MFA enabled for targeted accounts.
• Target resources selection : You cannot select “All cloud apps”, you must choose specific supported apps (e.g., Exchange Online, SharePoint Online, Teams) for the control to become available.
• Operating System
  • Windows 11 22H2 or later.
  • Device must be Azure AD Joined or Hybrid Azure AD Joined.
  • TPM 2.0 must be available and enabled.

Create the Conditional Access Policy

• Sign in to the Microsoft Entra admin center : https://entra.microsoft.com
• Go to Security → Conditional Access → Policies → New policy.

Name your policy

Example : CA - Token Theft Protection for Microsoft 365 Apps.

Assign Users

• Include: Users or groups to protect.
• Exclude: Break-glass emergency accounts.

Assign Target Resources

• Click Target resources.
• Select Cloud apps.
• Choose specific apps, for example:
  • Microsoft Exchange Online
  • Microsoft SharePoint Online
  • Microsoft Teams
• Do not select “All cloud apps” or the option will be disabled.

Optional Conditions

• Filter by Windows as the target platform.
• Restrict to high-risk sign-in conditions or specific network locations.

Session Controls

1. Click Session (under Access controls).
2. Check Require token protection for sign-in sessions.
3. Save the selection.

Deployment Mode

• Start in Report-only mode to monitor without enforcing.
• Once verified in sign-in logs, switch to On.

Best Practices

• Roll out in test groups before full deployment.
• Always exclude break-glass accounts to prevent lockout.
• Pair with Sign-in frequency controls for maximum session security.
• Educate users on supported devices and applications.
• Monitor Insights and Reporting to detect unusual access attempts.

More details

• Configure adaptive session lifetime policies

https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime

• Token Protection for Sign-In Sessions

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection

https://techcommunity.microsoft.com/blog/microsoft-entra-blog/public-preview-token-protection-for-sign-in-sessions/3815756

https://officegarageitpro.medium.com/token-theft-protection-with-microsoft-entra-intune-defender-xdr-windows-5b320187f8ae

Thanks