CA-10HighEnhanced Security

Enable Token Protection

Conditional Access control for Microsoft 365 and Entra ID

Why This Control Matters

Stolen tokens can be replayed from any device or location. Token protection binds tokens to specific devices, making stolen tokens useless. This is the primary defense against token theft attacks.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Token binding is enabled for sensitive applications
2Refresh token protection is configured
3Sign-in frequency controls complement token protection

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Available

Creates Conditional Access policy with token protection session controls

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.