☁️
CTHFM: Azure
  • Welcome
  • Getting Started
    • Account Setup
      • Account Creation Instructions
  • Azure Fundamentals
    • Azure Fundamentals Overview
      • Azure Documentation
      • Azure Entra
      • Azure Hierarchy
      • Identities
      • Azure Entra Roles
      • Azure RBAC
      • Azure Licensing Overview
        • Azure Entra ID Premium Licenses Comparison
      • Azure Shared Responsibility Model
      • Azure Frameworks
      • Azure Security Services
      • Conditional Access Policies
        • How Conditional Access Policies Work
        • Benefits of Conditional Access
        • Best Practices for Conditional Access
        • Conditions for Conditional Access
        • Conditional Access Controls
        • Sign-In Risk and Identity Protection
        • Conditional Access Session Control
        • Name Locations IP Location
      • Azure Quotas
      • Azure Tokens
        • Access Tokens
        • ID Tokens
        • Refresh Tokens
          • Invalidate Refresh Tokens
        • Primary Refresh Tokens
        • Continuous Access Evaluation (CAE)
        • Token Protection: Conditional Access (Public Preview)
  • Azure CLI
    • Introduction to Azure CLI
    • Installing Azure CLI
    • CLI Commands
    • Resource Group Management
    • Creating and Managing Resources with Azure CLI
    • Managing IAM
    • Azure CLI Automation
    • Monitoring and Troubleshooting in Azure CLI
    • Azure CLI Overview
      • Azure CLI: Linux
      • Azure CLI: Windows
      • Azure CLI: MacOS
  • KQL
    • KQL Overview
      • KQL Introduction
      • Data Types
      • Quick Reference
      • Render
      • Basic Queries
  • Powershell
    • PowerShell for Azure
      • Powershell Documentation
      • Powershell Basics
      • Understanding Powershell Variables
      • Understanding Cmdlets
      • Powershell Console & ISE
      • Powershell: Entra Module
        • Module Reference & Getting Started
      • Powershell: Azure Module
        • Installation Instructions
        • Powershell Azure CLI: Windows
        • Powershell Azure CLI: Linux
        • Powershell Azure CLI: MacOS
        • Example Azure Cmdlets
  • Bicep
    • Bicep File Structure
    • Variable Types
  • Azure Logging References
    • Logging
      • Log Retention Strategies
      • Azure Log Types
      • Azure Activity Logs
        • Administrative Event Schema
        • Service Health Notification Schema
        • Resource Health
        • Alert Category
        • Autoscale
        • Security
        • Recommendation
        • Policy
      • Entra ID Logging
        • Identity Based Logs
          • Audit Logs
          • Sign-In Logs
            • AADNonInteractiveUserSignInLogs
            • AADManagedIdentitySignInLogs
            • AADServicePrincipalSignInLogs
            • First Party Sign-In Activity
          • Provisioning Logs (AADProvisioningLogs)
          • Microsoft Graph Activity
          • Identity Protection
            • Risk Detections
            • AADRiskyServicePrincipals
            • AADRiskyUsers
            • AADUserRiskEvents
            • AADServicePrincipalRiskEvents
        • Additional Entra ID Logs
      • Azure Key Vault
        • Azure Key Vault Logging Overview
      • Network Watcher
        • RBAC Permissions
        • Flow Log Types
          • NSG Flow Log Schema
          • VNET Flow Log Schema
        • Enabling Logs
          • NSG Flow Logs
          • VNET Flow Logs
        • Packet Capture
          • Packet Capture: VM
          • Packet Capture: Scale Sets
      • Compute Resources
        • Azure Monitor Agent
        • VM Insights
          • VM Insights Tables
      • Storage Accounts
        • Storage Account Logging
          • File
            • Enable StorageFileLogs
            • StorageFileLogs
          • Blob
            • Enable Blob Logging
            • StorageBlobLogs
          • Queue
            • Enable Queue Logging
            • StorageQueueLogs Table
          • Table
            • Enable Table Logging
            • StorageTableLogs Table
      • Azure App Service
        • Log Types
        • Enabling Logging
      • Azure Monitor
        • Resource Logs
          • Resource Log Top Level Documentation
        • Log Analytics Workspace
          • Setup
        • Workbooks
        • Dashboards
        • Alerts
        • Azure Monitor Documentation
      • Defender for Cloud
      • Intune
      • Sysmon
      • Purview Audit Log Schema
      • Kubernetes Audit Log (AKS)
  • Threat Hunting
    • Threat Hunting in Azure
      • Threat Hunting Introduction
      • Threat Hunting Process
        • Hypothesis Generation
        • Investigation
        • Identification
        • Resolution & Follow Up
      • Pyramid of Pain
      • Azure Threat Hunting Ideas
      • Hands On Threat Hunting Examples
      • OSINT Feeds
  • Sigma
    • Sigma Rule Structure
  • Microsoft Defender TI
    • Microsoft Defender Threat Intelligence
      • Data Sets
      • Reputational Scoring
      • Analyst Insights
      • Microsoft Defender TI: Copilot Integration
  • MITRE Att&ck
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Data Sources
      • MITRE Att&ck Mitigations
      • MITRE Att&ck: Azure
        • MITRE Att&CK: Azure Security Control Mapping
  • Microsoft Resources
    • Microsoft Incident Response Ninja Hub
    • Microsoft Defender XDR Ninja Hub
  • Azure Threat Research Matrix (ATRM)
  • Security Research & Resources
    • Azure Goat
    • Azure Security Research
      • Azure Related CVEs
  • Defender XDR
    • Defender XDR Overview
    • Defender XDR Licensing
    • Defender XDR Default Retention
    • Defender XDR Advanced Hunting Table Schemas
    • Automated Response Requirements
    • Supported Response Actions
  • Azure Sentinel
    • Sentinel Overview
    • Azure Sentinel Deployments
    • Supported Data
    • Workbook, Playbook, Notebook Comparison
    • Sentinel Workbooks
    • Entities
    • User and Entity Behavior Analytics
    • Anomaly Detection
    • Mult-Stage Attack Detection
    • Sentinel: Az CLI
  • Microsoft Defender
    • Microsoft Defender for Cloud References
    • Defender for Cloud: Az CLI
  • Azure Policy
    • Azure Policy
    • Azure Policy Components
    • Azure Policy Rules
    • Scope Azure Policy
    • Policy Assignments
    • Policy Effect
    • Initiative Definition
    • Policy Parameters
    • Remediation Task Structure
    • Use Cases for Azure Policy
    • Azure Policy: Az CLI
  • Intune
    • Intune Overview
    • Intune Licensing
    • Intune API Permission Scopes
    • Intune Sample Script Resources
  • Intune Logging
    • Configure Logging
    • Logging Schema References
    • Intune Queries and Resources
  • Windows Host Security
    • Windows System Architecture and OS Fundamentals
    • SysInternals
    • Basic vs Advanced Security Auditing
    • Sysmon
  • Adversary Emulation
    • AzureHound
    • AADInternals
      • Install
    • RoadTools
      • Install
    • Oh365UserFinder
    • GraphRunner
  • Incident Response
    • Incident Response
      • Azure IR Program Development Cheat Sheet
      • Azure IR Playbooks (MS Guidance)
      • Ransomware (MS Guidance)
  • Automation
    • Automation Overview
    • Logic Apps
      • How Logic Apps Work
      • Logic App Types
      • Triggers
      • Connectors
      • Conditional Logic and Control Flow
      • APIs in Logic Apps
      • Handling Large Workflows with Stateful Logic Apps
      • External Service Integration
      • Securing, Managing, and Scaling Azure Logic Apps
      • Logic Apps: Az CLI
  • Packet Analysis
    • Wireshark Cheatsheet
    • TShark Cheatsheet
    • TCPDUMP Cheatsheet
    • Protocol Analysis Basics
    • HTTP Response Code Cheatsheet
    • RFC Protocol Mappings
    • PCAP Acquisition
  • Detection Lab
    • Detection Lab Introduction
    • Account Creation Instructions
    • Enable MFA Within Azure Tenant
    • Create an Azure Admin With Cloud Shell
    • Setup and Install Instructions
  • VSCode and Code Setup
  • Deploying Code
  • Enabling Logs for Log Analytics Workspace
  • Logging Into Windows VM
  • Verifying Logs in Log Analytics Workspace
  • Creating Detections: Azure Monitor
  • Cost Management: Billing Alarms
Powered by GitBook
On this page
  • Overview
  • How Token Protection Works:
  • Preview Status and Availability
  • Recent Changes to Token Protection
  • Requirements for Token Protection
  • Known Limitations
  • Licensing Requirements
  • Deployment Recommendations
  • Creating a Conditional Access Policy
  • Monitoring and Enforcement
  1. Azure Fundamentals
  2. Azure Fundamentals Overview
  3. Azure Tokens

Token Protection: Conditional Access (Public Preview)

Overview

Token protection is a Conditional Access feature currently in public preview in Microsoft Entra ID, also known as token binding. Its main purpose is to reduce the impact of token theft attacks by ensuring that a token can only be used by the device it was intended for. Token theft can occur through hijacking or replay attacks, where an attacker gains access to the token and can impersonate the victim until the token either expires or is revoked. Although token theft is relatively uncommon, the damage it can cause is significant, which makes preventive measures like token protection crucial.

How Token Protection Works:

Token protection uses a cryptographically secure mechanism to bind a token to a specific device, creating what is called a client secret. When a device, such as one running Windows 10 or later, is registered with Microsoft Entra ID, its primary identity is bound to the device itself. This ensures that only the tokens that are tied to the device, known as Primary Refresh Tokens (PRTs), can be used by applications to access resources. The client secret is essential—without it, the token becomes useless. Essentially, this prevents attackers from using stolen tokens on other devices, as they would need access to the original device's client secret.

Preview Status and Availability

Token protection is currently in public preview, which means it is available for testing but may still be subject to changes before its general availability. As part of the preview, administrators have the ability to create Conditional Access policies that require token protection for sign-in tokens (refresh tokens) specifically for some Microsoft 365 services, such as Exchange Online and SharePoint Online. This feature is available for use in desktop applications on Windows devices.

Recent Changes to Token Protection

As part of the public preview, several changes have been made since its initial release. In late June 2023, the terminology used in sign-in logs was updated—specifically, the string used for "enforcedSessionControls" and "sessionControlsNotSatisfied" was changed from "Binding" to "SignInTokenProtection." This change affects queries on sign-in log data, which need to be updated accordingly to reflect the new terminology.

Requirements for Token Protection

To use token protection with Conditional Access, there are certain requirements for both devices and applications. The supported configurations include:

  • Windows 10 or newer devices that are either Microsoft Entra joined, hybrid joined, or Microsoft Entra registered.

  • Specific versions of key client applications are also required, including:

    • OneDrive sync client version 22.217 or later.

    • Teams native client version 1.6.00.1331 or later.

    • Power BI desktop version 2.117.841.0 or later.

    • Visual Studio 2022 or newer when using the "Windows authentication broker" for sign-in.

    • Office Perpetual clients are not supported.

Known Limitations

There are a number of known limitations for token protection in this preview:

  • External users (e.g., Microsoft Entra B2B users) are not supported and should not be included in Conditional Access policies requiring token protection.

  • Certain applications do not support signing in using token protection, which will result in users being blocked when trying to access Exchange Online or SharePoint Online. Examples include:

    • PowerShell modules that access Exchange, SharePoint, or Microsoft Graph scopes managed by Exchange or SharePoint.

    • PowerQuery extension for Excel.

    • Extensions to Visual Studio Code that access Exchange or SharePoint.

    • The new Teams 2.1 preview client has a known bug that causes it to be blocked after sign-out, which will be fixed in a future update.

  • Unsupported Windows client devices include Windows Server, Surface Hub, and Windows-based Microsoft Teams Rooms (MTR) systems.

Licensing Requirements

To use token protection, an organization must have Microsoft Entra ID P2 licenses. This feature is part of Microsoft Entra ID Protection and will remain tied to the P2 license once it becomes generally available. For more information, organizations can compare available features of Microsoft Entra ID to determine the right licensing for their needs.

Deployment Recommendations

Deploying token protection should be smooth for users when they are using compatible devices and applications. However, to avoid disruptions due to incompatibility, Microsoft recommends the following deployment approach:

  1. Start with a pilot group: Begin with a smaller group of users to verify compatibility and functionality.

  2. Report-only mode: Initially create a Conditional Access policy in report-only mode, which allows administrators to monitor its impact without enforcement.

  3. Log monitoring: Capture both interactive and non-interactive sign-in logs, and analyze them for a sufficient period to identify any potential issues.

  4. Expand gradually: Once the pilot is successful, expand the scope of the policy to include additional users.

  5. Known good users: Add users that have been verified for compatibility to the enforcement policy to ensure minimal issues.

This incremental approach helps to mitigate the risk of any application or device incompatibility when enforcing token protection.

Creating a Conditional Access Policy

To create a Conditional Access policy that enforces token protection for Exchange Online and SharePoint Online on Windows devices:

  1. Sign in to the Microsoft Entra admin center as a Conditional Access Administrator.

  2. Navigate to Protection > Conditional Access > Policies.

  3. Select New policy and give it a meaningful name. Microsoft recommends creating a naming standard for policies for better management.

  4. Under Assignments, specify which users or groups the policy applies to, and explicitly exclude emergency access accounts (e.g., "break-glass" accounts).

  5. Under Target resources, select Office 365 Exchange Online and Office 365 SharePoint Online. Do not select the broader Office 365 application group, as this may result in unintended failures.

  6. Configure conditions for Device platforms to apply the policy to Windows devices and set Client apps to only apply to mobile apps and desktop clients.

  7. Under Access controls, select Require token protection for sign-in sessions and save the policy in report-only mode.

  8. Once confident with the results of report-only mode, administrators can move the policy to enabled mode to start enforcement.

Monitoring and Enforcement

After deploying a Conditional Access policy with token protection, it is essential to monitor its enforcement:

  • Use the Microsoft Entra sign-in logs to verify if the token protection policy is being applied as intended. Navigate to Identity > Monitoring & health > Sign-in logs in the Microsoft Entra admin center, and look for specific entries to confirm that the policy requirements have been satisfied.

  • Use Log Analytics to perform more advanced queries on interactive and non-interactive sign-in logs, which helps identify blocked requests and ensure that legitimate users are not impacted.

    • For example, queries can be used to examine blocked versus allowed requests based on the application or by individual users.

    • The syntax for these queries includes selecting specific log data, filtering by the applications (e.g., Exchange Online and SharePoint Online), and extending session control attributes to determine whether the policy requirements were met.

Administrators are encouraged to run these monitoring activities before and after the policy is enforced to assess its impact on users and applications.

Last updated 6 months ago