Skip to main content

Enabling Token Protection in Entra ID Conditional Access

Field

Details

Document Type

How-To Guide - Enable Token Protection in Entra ID Conditional Access

Applies To

Microsoft Entra ID, Conditional Access policy

Audience

2nd Line / Entra ID Admins / IT Engineer

Author

AK. Udofeh

Last Updated

March 2026
Overview

Token Protection is a Conditional Access session control that cryptographically binds authentication tokens (e.g., Primary Refresh Tokens) to a specific device. This prevents token replay, pass‑the‑cookie attacks, and AiTM token theft. It ensures that even if an attacker steals a token, they cannot use it on another machine.

Use Cases

Use Token Protection when:

  • Protecting Exchange Online, SharePoint Online, Teams, and Microsoft 365 native applications.
  • Hardening admin or power‑user endpoints
  • Preventing AiTM attacks that harvest tokens after MFA completion
  • Enforcing Zero‑Trust principles
Prerequisites

Licensing - Microsoft Entra ID P1 is required for Token Protection.

Device Requirements
Supported Platforms (per Microsoft):

Platform Support Level Requirements
Windows 10+ GA Entra‑joined, Hybrid‑joined, or Entra‑registered devices
macOS 14+ Preview Must be MDM‑managed + Enterprise SSO plug‑in
iOS/iPadOS 16+ Preview Must be MDM‑managed + Enterprise SSO plug‑in
Android ❌ Not Supported

Application Requirements
Token Protection currently supports:

  • Exchange Online
  • SharePoint Online
  • Microsoft Teams
  • Supported Microsoft 365 native clients (Outlook, OneDrive, Teams)

Browser‑based sessions NOT supported (only native apps). Deploy in Report‑only mode first to prevent app/device disruption. MDM is required for macOS/iOS preview support.

Step‑by‑Step Configuration

Step 1:  Validate Device Registration
Devices must be:

  • Entra‑joined
  • Hybrid‑joined
  • Entra‑registered
    This ensures PRT issuance.

Step 2:  Create a Pilot Group
Create group: TokenProtection‑Pilot.

Step 3:  Create Token Protection Conditional Access Policy

  • Go to Entra Admin Center → Identity → Protection → Conditional Access.
  • Click + New Policy.
  • Name it Enable Token Protection (Pilot).
  • Assign:
    • Users: TokenProtection‑Pilot
    • Cloud Apps: Select Office 365, or specific apps (Exchange, SharePoint, Teams).
  • Access Controls → Session → Enable Token Protection
  • Set Require token protection for sign-ins.
  • Enable policy in Report‑only mode.

Step 4:  Move to Full Enforcement
After reviewing logs:

  • Set policy to ON
  • Gradually expand target groups
Validation Steps
  • Go to Sign‑in logs > Check “Token Protection” evaluation result.
    • You should see accepted device‑bound PRTs.
  • Confirm user can still access native apps (Outlook, Teams, OneDrive).
  • Attempt to use token replay:

Export cookies (simulated test) → Should fail due to device binding.
(Documented limitation for browsers. Token replay should fail only in native apps.)

Back to top