Token protection helps to reduce an attack surface through binding a token to the device and preventing against "replay attacks" where a malicious actor will steal the token and gain unauthorised access without requiring additional authentication methods.
Microsoft have recently released a new Conditional Access Policy so companies can start protecting against these attack methods, however please note it's currently in preview and lacking full functionality.
Known limitations
External users (Azure AD B2B) aren't supported and shouldn't be included in your Conditional Access policy.
The following applications don't support signing in using protected token flows and users are blocked when accessing Exchange and SharePoint:
Power BI Desktop client
PowerShell modules accessing Exchange, SharePoint, or Microsoft Graph scopes that are served by Exchange or SharePoint
PowerQuery extension for Excel
Extensions to Visual Studio Code which access Exchange or SharePoint
Visual Studio
The following Windows client devices aren't supported:
Windows Server
Surface Hub
Requirements
This preview supports the following configurations:
Windows 10 or newer devices that are Azure AD joined, hybrid Azure AD joined, or Azure AD registered.
OneDrive sync client version 22.217 or later
Teams native client version 1.6.00.1331 or later
Office Perpetual clients aren't supported
Supported Applications in current Preview
Office 365 Exchange Online
Office 365 SharePoint Online
Let's create a 'Report Only' Conditional Access Policy
Pre-requisites
Create a new Security Group suitably named for this new test e.g. 'Token Protection Policy'.
Under conditional access policies, click 'New'. Give the policy a name e.g. 'Token Protection Policy'. Click on Users (under assignments), click 'Select users and groups' and choose the test group you created earlier.
Under Cloud apps or actions, click 'Select apps' and choose 'Office 365 Exchange Online' and 'Office 365 Sharepoint Online'.
Under 'Conditions' > 'Device Platforms', click 'Yes' under Configure, then ensure only 'Windows' is ticked.
Under 'Conditions' > 'Client apps', click 'Yes' under Configure and then ensure only 'Mobile apps and desktop clients'
Under 'Sessions', tick 'Require token protection for sign-in sessions (Preview)' then select.
Final steps:
Under 'Enable policy' leave the default option of Report-Only and click 'Create'. This is always good practice to protect you against any accidental misconfiguration, plus you can monitor behaviour for a few days to check for any unusual behaviour in the logs.
Once you're confident everything is working as expected, change the policy to 'On', and add more users to the security group as needed.
Comments