CA-10: Enable Token Protection

Frequently asked questions about implementing and managing the CA-10 security control in Microsoft 365 and Entra ID.

Q
What is CA-10 (Enable Token Protection)?
A

CA-10 is a security control that stolen tokens can be replayed from any device or location. token protection binds tokens to specific devices, making stolen tokens useless. this is the primary defense against token theft attacks. It requires that token binding is enabled for sensitive applications and refresh token protection is configured, sign-in frequency controls complement token protection.

Related controls:CA-10
Q
Why is Enable Token Protection important for Microsoft 365 security?
A

Stolen tokens can be replayed from any device or location. Token protection binds tokens to specific devices, making stolen tokens useless. This is the primary defense against token theft attacks.

Related controls:CA-10
Q
How do I implement CA-10 in my tenant?
A

TrueConfig provides one-click remediation for CA-10. Creates Conditional Access policy with token protection session controls

Related controls:CA-10
Q
What license do I need for CA-10?
A

This control requires Azure AD Premium P1 (included in Microsoft 365 E3) or higher.

Related controls:CA-10
Q
Which security baseline includes CA-10?
A

CA-10 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.

Related controls:CA-10

5

Questions

1

Related Controls

Categorized

Related Resources

CA-10 Control Reference

Detailed documentation and implementation guidance

Conditional Access Controls

All controls in the Conditional Access category

Security Glossary

Definitions of security and Microsoft 365 terms

Still have questions?

Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.

Start Free Trial
All FAQsBrowse Controls →