CA-10: Enabling Token Protection (Token Binding)
Overview
This guide walks you through enabling token protection in Conditional Access. Token protection binds authentication tokens to specific devices, rendering stolen tokens useless if replayed from a different device. This is a critical defense against token theft attacks.
Control ID: CA-10 Category: Conditional Access Severity: High License Required: Microsoft Entra ID P1 (included in Microsoft 365 Business Premium, E3, E5)
Why This Matters
Token theft is one of the most dangerous attack vectors:
- Pass-the-token attacks - Attackers steal session tokens and replay them from their own devices
- Adversary-in-the-middle - Phishing proxies capture tokens during legitimate sign-in
- Token export - Malware extracts tokens from compromised devices
- Long token lifetime - Refresh tokens can be valid for 90 days
Token protection cryptographically binds tokens to the device that requested them. Even if an attacker steals a token, they cannot use it from a different device.
Prerequisites
Required Roles
You need one of the following Entra ID roles:
- Conditional Access Administrator (recommended)
- Security Administrator
- Global Administrator
Required Licenses
- Microsoft Entra ID P1 or higher
- Included in: Microsoft 365 Business Premium, E3, E5, or standalone Entra ID P1/P2
Pre-Configuration Requirements
Before enabling token protection:
- Supported platforms - Windows 10+ devices are required
- Entra ID joined or registered devices - Devices must have identity with Entra ID
- Supported applications - Currently limited to specific Microsoft applications
- Test environment - Token protection is still being rolled out
Time Estimate
| Task | Duration |
|---|---|
| Policy creation | 15 minutes |
| Testing | 1-2 hours |
| Rollout (phased) | 1-2 weeks |
| Total | 1-2 weeks for full deployment |
Understanding Token Protection
How Token Protection Works
Normal Token Flow (Vulnerable):
1. User authenticates on Device A
2. Token issued (not bound to device)
3. Attacker steals token
4. Attacker uses token from Device B
5. Access GRANTED (token valid)
Token Protection Flow (Protected):
1. User authenticates on Device A
2. Token issued (cryptographically bound to Device A)
3. Attacker steals token
4. Attacker uses token from Device B
5. Access DENIED (device mismatch)
Technical Implementation
Token protection uses:
- TPM-based key binding - Tokens are bound to a key in the device's TPM
- Primary Refresh Token (PRT) - Leverages existing PRT infrastructure
- Cryptographic proof - Each token request includes proof of device possession
Currently Supported Scenarios
Supported Platforms:
- Windows 10 and later (Entra ID joined or registered)
- macOS (preview)
Supported Applications:
- Exchange Online
- SharePoint Online
- Microsoft Teams
- Other Microsoft 365 applications (expanding)
Not Yet Supported:
- iOS and Android devices
- Third-party SaaS applications
- Browser-only scenarios without registered device
Step-by-Step Instructions
Part 1: Verify Device Requirements
Before enabling token protection, ensure devices meet requirements.
Step 1: Check Device Registration Status
- On Windows devices, open Command Prompt
- Run:
dsregcmd /status - Verify:
AzureAdJoined: YES (for Entra ID joined)- Or
WorkplaceJoined: YES (for Entra ID registered) KeySignTest: Passed (indicates TPM available)
Step 2: Verify TPM Availability
- Open Device Manager
- Expand Security devices
- Verify Trusted Platform Module 2.0 is present
- Or run in PowerShell:
Get-Tpm
Part 2: Create Token Protection Policy
Step 1: Navigate to Conditional Access
- Sign in to the Microsoft Entra admin center
- Navigate to Protection > Conditional Access > Policies
Step 2: Create a New Policy
- Click + New policy
- Enter a name:
Require Token Protection for Sensitive Apps
Step 3: Configure Users and Groups
- Under Assignments, click Users
- Under Include, you have options:
Option A - All Users (recommended for broad protection):
- Select All users
- Exclude: Emergency access accounts
Option B - Pilot Group:
- Select Select users and groups
- Choose a pilot group
- Exclude: Emergency access accounts
Step 4: Configure Target Resources
- Under Target resources, click Cloud apps
- Under Include, select Select apps
- Add sensitive applications:
- Office 365 Exchange Online
- Office 365 SharePoint Online
- Microsoft Teams
Note: Token protection currently works best with Microsoft 365 apps.
Step 5: Configure Session Controls
- Under Session, click to expand
- Check Require token protection for sign-in sessions
- This enables enforcement of token binding
Step 6: Configure Grant Controls (Optional)
You can combine token protection with other requirements:
- Under Grant, click to expand
- Select Grant access
- Optionally add:
- Require multifactor authentication
- Require device to be marked as compliant
Step 7: Enable the Policy
Recommended approach:
- Under Enable policy, select Report-only
- Click Create
- Monitor for 1-2 weeks
- Review sign-in logs for token protection status
- Once validated, change to On
Part 3: Monitor Token Protection
View Token Protection Status in Sign-In Logs
- Navigate to Entra admin center > Monitoring > Sign-in logs
- Click on a sign-in entry
- Look for Token protection in the details:
- Enforced - Token protection was applied
- Not enforced - Token protection not applied (device or app not supported)
View in Conditional Access
- In the sign-in log entry, click Conditional Access tab
- Your token protection policy should appear
- Check if it was applied or why it wasn't
Token Protection Scenarios
Scenario 1: Protect High-Value Data
Goal: Require token protection for access to sensitive SharePoint sites.
Configuration:
Policy: Token Protection for Sensitive Data
Users: All users
Cloud Apps: SharePoint Online
Session: Require token protection for sign-in sessions
Grant: Require MFA + Require compliant device
Scenario 2: Admin Token Protection
Goal: Ensure admin tokens cannot be stolen and replayed.
Configuration:
Policy: Admin Token Protection
Users: Directory roles (all admin roles)
Cloud Apps: All cloud apps
Session: Require token protection for sign-in sessions
Grant: Require MFA + Require compliant device
Scenario 3: Combine with Sign-In Frequency
Goal: Limit token lifetime AND enforce binding.
Configuration:
Policy: Enhanced Token Security
Users: All users
Cloud Apps: Office 365
Session:
- Sign-in frequency: 8 hours
- Require token protection for sign-in sessions
Verification Checklist
After enabling token protection, verify:
Policy Verification
- Policy appears in Conditional Access with status "On" or "Report-only"
- Token protection session control is enabled
- Correct apps are targeted
- Emergency access accounts are excluded
Device Verification
- Test device is Entra ID joined or registered
- TPM is available and functional
- PRT is valid (check with
dsregcmd /status)
Sign-In Log Verification
- User signs in from a compliant device
- Check sign-in log entry
- Verify "Token protection: Enforced" is shown
Negative Test
- User signs in from an unsupported platform
- Verify policy behavior (may be not applied vs. blocked)
- Document any access granted without token protection
Troubleshooting
Token Protection Not Enforced
Symptom: Sign-in logs show "Token protection: Not enforced"
Solutions:
- Verify device is Entra ID joined/registered
- Check TPM status with
dsregcmd /status - Ensure the application supports token protection
- Check if user is on a supported platform (Windows 10+)
- Try signing out and back in to get new tokens
PRT Issues
Symptom: Device cannot obtain or use PRT.
Solutions:
- Run
dsregcmd /debugfor detailed diagnostics - Check
KeySignTeststatus - should be "Passed" - Verify device is properly joined:
dsregcmd /forcerecovery - Re-register the device if needed
Application Not Supported
Symptom: Certain apps don't show token protection enforced.
Solutions:
- Token protection is expanding but not all apps support it
- Check Microsoft documentation for current supported apps
- Focus on Microsoft 365 apps initially
- Third-party apps may not support token binding
Users Blocked Unexpectedly
Symptom: Users on supported devices are being blocked.
Solutions:
- Check if the policy is set to block (vs. report-only)
- Verify no conflicting policies
- Check device registration status
- Review grant controls - may be blocking for other reasons
Mobile Device Access Issues
Symptom: iOS/Android users cannot access apps.
Solutions:
- Token protection is not yet available for mobile
- Exclude mobile platforms from token protection policies
- Or create separate policies for mobile with different controls
Policy Configuration Summary
Basic Token Protection Policy
| Setting | Value |
|---|---|
| Policy Name | Require Token Protection for Sensitive Apps |
| Users - Include | All users |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | Office 365 / Microsoft 365 apps |
| Session | Require token protection for sign-in sessions |
| Grant | Grant access (optional: require MFA) |
| Enable Policy | On |
Admin Token Protection Policy
| Setting | Value |
|---|---|
| Policy Name | Admin Token Protection |
| Users - Include | Directory roles (all admin roles) |
| Users - Exclude | Emergency access accounts |
| Cloud Apps | All cloud apps |
| Conditions | Device platforms: Windows |
| Session | Require token protection |
| Grant | Require MFA + Require compliant device |
| Enable Policy | On |
Best Practices
Phased Rollout
- Week 1: Enable in Report-only mode for all users
- Week 2: Review logs, identify issues
- Week 3: Enable for IT/security team
- Week 4: Enable for pilot group
- Week 5+: Gradual rollout to all users
Combine with Other Controls
Token protection is most effective when combined with:
- MFA - Prevents initial compromise
- Device compliance - Ensures device health
- Sign-in frequency - Limits token lifetime
- CAE - Enables real-time revocation
Platform Considerations
- Windows: Full support on Entra ID joined/registered devices
- macOS: Preview support (check current status)
- Mobile: Not yet supported - use app protection policies instead
Complementary Technologies
Continuous Access Evaluation (CAE)
While token protection prevents token replay, CAE enables:
- Real-time token revocation
- Critical event response (user disabled, password changed)
- Location policy enforcement
Use both for comprehensive token security.
Sign-In Frequency
Token protection prevents replay, but sign-in frequency limits:
- How long tokens remain valid
- How often users must re-authenticate
Combine for defense in depth.
Related Controls
- PA-07: Enable Continuous Access Evaluation (real-time revocation)
- CA-11: Enforce Session Lifetime Limits (sign-in frequency)
- CA-07: Session Controls (comprehensive session management)
- DV-01: Require Compliant Devices (device health)