CA-10: Enabling Token Protection (Token Binding)

Overview

This guide walks you through enabling token protection in Conditional Access. Token protection binds authentication tokens to specific devices, rendering stolen tokens useless if replayed from a different device. This is a critical defense against token theft attacks.

Control ID: CA-10 Category: Conditional Access Severity: High License Required: Microsoft Entra ID P1 (included in Microsoft 365 Business Premium, E3, E5)

Why This Matters

Token theft is one of the most dangerous attack vectors:

  • Pass-the-token attacks - Attackers steal session tokens and replay them from their own devices
  • Adversary-in-the-middle - Phishing proxies capture tokens during legitimate sign-in
  • Token export - Malware extracts tokens from compromised devices
  • Long token lifetime - Refresh tokens can be valid for 90 days

Token protection cryptographically binds tokens to the device that requested them. Even if an attacker steals a token, they cannot use it from a different device.


Prerequisites

Required Roles

You need one of the following Entra ID roles:

  • Conditional Access Administrator (recommended)
  • Security Administrator
  • Global Administrator

Required Licenses

  • Microsoft Entra ID P1 or higher
  • Included in: Microsoft 365 Business Premium, E3, E5, or standalone Entra ID P1/P2

Pre-Configuration Requirements

Before enabling token protection:

  1. Supported platforms - Windows 10+ devices are required
  2. Entra ID joined or registered devices - Devices must have identity with Entra ID
  3. Supported applications - Currently limited to specific Microsoft applications
  4. Test environment - Token protection is still being rolled out

Time Estimate

TaskDuration
Policy creation15 minutes
Testing1-2 hours
Rollout (phased)1-2 weeks
Total1-2 weeks for full deployment

Understanding Token Protection

How Token Protection Works

Normal Token Flow (Vulnerable):
1. User authenticates on Device A
2. Token issued (not bound to device)
3. Attacker steals token
4. Attacker uses token from Device B
5. Access GRANTED (token valid)

Token Protection Flow (Protected):
1. User authenticates on Device A
2. Token issued (cryptographically bound to Device A)
3. Attacker steals token
4. Attacker uses token from Device B
5. Access DENIED (device mismatch)

Technical Implementation

Token protection uses:

  • TPM-based key binding - Tokens are bound to a key in the device's TPM
  • Primary Refresh Token (PRT) - Leverages existing PRT infrastructure
  • Cryptographic proof - Each token request includes proof of device possession

Currently Supported Scenarios

Supported Platforms:

  • Windows 10 and later (Entra ID joined or registered)
  • macOS (preview)

Supported Applications:

  • Exchange Online
  • SharePoint Online
  • Microsoft Teams
  • Other Microsoft 365 applications (expanding)

Not Yet Supported:

  • iOS and Android devices
  • Third-party SaaS applications
  • Browser-only scenarios without registered device

Step-by-Step Instructions

Part 1: Verify Device Requirements

Before enabling token protection, ensure devices meet requirements.

Step 1: Check Device Registration Status

  1. On Windows devices, open Command Prompt
  2. Run: dsregcmd /status
  3. Verify:
    • AzureAdJoined : YES (for Entra ID joined)
    • Or WorkplaceJoined : YES (for Entra ID registered)
    • KeySignTest : Passed (indicates TPM available)

Step 2: Verify TPM Availability

  1. Open Device Manager
  2. Expand Security devices
  3. Verify Trusted Platform Module 2.0 is present
  4. Or run in PowerShell: Get-Tpm

Part 2: Create Token Protection Policy

Step 1: Navigate to Conditional Access

  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Protection > Conditional Access > Policies

Step 2: Create a New Policy

  1. Click + New policy
  2. Enter a name: Require Token Protection for Sensitive Apps

Step 3: Configure Users and Groups

  1. Under Assignments, click Users
  2. Under Include, you have options:

Option A - All Users (recommended for broad protection):

  • Select All users
  • Exclude: Emergency access accounts

Option B - Pilot Group:

  • Select Select users and groups
  • Choose a pilot group
  • Exclude: Emergency access accounts

Step 4: Configure Target Resources

  1. Under Target resources, click Cloud apps
  2. Under Include, select Select apps
  3. Add sensitive applications:
    • Office 365 Exchange Online
    • Office 365 SharePoint Online
    • Microsoft Teams

Note: Token protection currently works best with Microsoft 365 apps.

Step 5: Configure Session Controls

  1. Under Session, click to expand
  2. Check Require token protection for sign-in sessions
  3. This enables enforcement of token binding

Step 6: Configure Grant Controls (Optional)

You can combine token protection with other requirements:

  1. Under Grant, click to expand
  2. Select Grant access
  3. Optionally add:
    • Require multifactor authentication
    • Require device to be marked as compliant

Step 7: Enable the Policy

Recommended approach:

  1. Under Enable policy, select Report-only
  2. Click Create
  3. Monitor for 1-2 weeks
  4. Review sign-in logs for token protection status
  5. Once validated, change to On

Part 3: Monitor Token Protection

View Token Protection Status in Sign-In Logs

  1. Navigate to Entra admin center > Monitoring > Sign-in logs
  2. Click on a sign-in entry
  3. Look for Token protection in the details:
    • Enforced - Token protection was applied
    • Not enforced - Token protection not applied (device or app not supported)

View in Conditional Access

  1. In the sign-in log entry, click Conditional Access tab
  2. Your token protection policy should appear
  3. Check if it was applied or why it wasn't

Token Protection Scenarios

Scenario 1: Protect High-Value Data

Goal: Require token protection for access to sensitive SharePoint sites.

Configuration:

Policy: Token Protection for Sensitive Data
Users: All users
Cloud Apps: SharePoint Online
Session: Require token protection for sign-in sessions
Grant: Require MFA + Require compliant device

Scenario 2: Admin Token Protection

Goal: Ensure admin tokens cannot be stolen and replayed.

Configuration:

Policy: Admin Token Protection
Users: Directory roles (all admin roles)
Cloud Apps: All cloud apps
Session: Require token protection for sign-in sessions
Grant: Require MFA + Require compliant device

Scenario 3: Combine with Sign-In Frequency

Goal: Limit token lifetime AND enforce binding.

Configuration:

Policy: Enhanced Token Security
Users: All users
Cloud Apps: Office 365
Session:
  - Sign-in frequency: 8 hours
  - Require token protection for sign-in sessions

Verification Checklist

After enabling token protection, verify:

Policy Verification

  • Policy appears in Conditional Access with status "On" or "Report-only"
  • Token protection session control is enabled
  • Correct apps are targeted
  • Emergency access accounts are excluded

Device Verification

  • Test device is Entra ID joined or registered
  • TPM is available and functional
  • PRT is valid (check with dsregcmd /status)

Sign-In Log Verification

  1. User signs in from a compliant device
  2. Check sign-in log entry
  3. Verify "Token protection: Enforced" is shown

Negative Test

  1. User signs in from an unsupported platform
  2. Verify policy behavior (may be not applied vs. blocked)
  3. Document any access granted without token protection

Troubleshooting

Token Protection Not Enforced

Symptom: Sign-in logs show "Token protection: Not enforced"

Solutions:

  1. Verify device is Entra ID joined/registered
  2. Check TPM status with dsregcmd /status
  3. Ensure the application supports token protection
  4. Check if user is on a supported platform (Windows 10+)
  5. Try signing out and back in to get new tokens

PRT Issues

Symptom: Device cannot obtain or use PRT.

Solutions:

  1. Run dsregcmd /debug for detailed diagnostics
  2. Check KeySignTest status - should be "Passed"
  3. Verify device is properly joined: dsregcmd /forcerecovery
  4. Re-register the device if needed

Application Not Supported

Symptom: Certain apps don't show token protection enforced.

Solutions:

  1. Token protection is expanding but not all apps support it
  2. Check Microsoft documentation for current supported apps
  3. Focus on Microsoft 365 apps initially
  4. Third-party apps may not support token binding

Users Blocked Unexpectedly

Symptom: Users on supported devices are being blocked.

Solutions:

  1. Check if the policy is set to block (vs. report-only)
  2. Verify no conflicting policies
  3. Check device registration status
  4. Review grant controls - may be blocking for other reasons

Mobile Device Access Issues

Symptom: iOS/Android users cannot access apps.

Solutions:

  1. Token protection is not yet available for mobile
  2. Exclude mobile platforms from token protection policies
  3. Or create separate policies for mobile with different controls

Policy Configuration Summary

Basic Token Protection Policy

SettingValue
Policy NameRequire Token Protection for Sensitive Apps
Users - IncludeAll users
Users - ExcludeEmergency access accounts
Cloud AppsOffice 365 / Microsoft 365 apps
SessionRequire token protection for sign-in sessions
GrantGrant access (optional: require MFA)
Enable PolicyOn

Admin Token Protection Policy

SettingValue
Policy NameAdmin Token Protection
Users - IncludeDirectory roles (all admin roles)
Users - ExcludeEmergency access accounts
Cloud AppsAll cloud apps
ConditionsDevice platforms: Windows
SessionRequire token protection
GrantRequire MFA + Require compliant device
Enable PolicyOn

Best Practices

Phased Rollout

  1. Week 1: Enable in Report-only mode for all users
  2. Week 2: Review logs, identify issues
  3. Week 3: Enable for IT/security team
  4. Week 4: Enable for pilot group
  5. Week 5+: Gradual rollout to all users

Combine with Other Controls

Token protection is most effective when combined with:

  • MFA - Prevents initial compromise
  • Device compliance - Ensures device health
  • Sign-in frequency - Limits token lifetime
  • CAE - Enables real-time revocation

Platform Considerations

  • Windows: Full support on Entra ID joined/registered devices
  • macOS: Preview support (check current status)
  • Mobile: Not yet supported - use app protection policies instead

Complementary Technologies

Continuous Access Evaluation (CAE)

While token protection prevents token replay, CAE enables:

  • Real-time token revocation
  • Critical event response (user disabled, password changed)
  • Location policy enforcement

Use both for comprehensive token security.

Sign-In Frequency

Token protection prevents replay, but sign-in frequency limits:

  • How long tokens remain valid
  • How often users must re-authenticate

Combine for defense in depth.


Related Controls

  • PA-07: Enable Continuous Access Evaluation (real-time revocation)
  • CA-11: Enforce Session Lifetime Limits (sign-in frequency)
  • CA-07: Session Controls (comprehensive session management)
  • DV-01: Require Compliant Devices (device health)

Additional Resources