Skip to main content

Enabling Token Protection in Entra ID Conditional Access

Field

Details

Document Type

How-To Guide - Enable Token Protection in Entra ID Conditional Access

Applies To

Microsoft Entra ID, Conditional Access policy

Audience

2nd Line / Entra ID Admins / IT Engineer

Author

AK. Udofeh

Last Updated

March 2026
Overview

Token Protection is a Conditional Access session control that cryptographically binds authentication tokens (e.g., Primary Refresh Tokens) to a specific device. This prevents token replay, pass‑the‑cookie attacks, and AiTM token theft. It ensures that even if an attacker steals a token, they cannot use it on another machine.

Use Cases

Use Token Protection when:

  • Protecting Exchange Online, SharePoint Online, Teams, and Microsoft 365 native applications.
  • Hardening admin or power‑user endpoints
  • Preventing AiTM attacks that harvest tokens after MFA completion
  • Enforcing Zero‑Trust principles
Prerequisites

Licensing - Microsoft Entra ID P1 is required for Token Protection.

Device Requirements
Supported Platforms (per Microsoft):

Platform Support Level Requirements
Windows 10+ GA Entra‑joined, Hybrid‑joined, or Entra‑registered devices
macOS 14+ Preview Must be MDM‑managed + Enterprise SSO plug‑in
iOS/iPadOS 16+ Preview Must be MDM‑managed + Enterprise SSO plug‑in
Android ❌ Not Supported

Application Requirements
Token Protection currently supports:

  • Exchange Online
  • SharePoint Online
  • Microsoft Teams
  • Supported Microsoft 365 native clients (Outlook, OneDrive, Teams)

Browser‑based sessions NOT supported (only native apps). Deploy in Report‑only mode first to prevent app/device disruption. MDM is required for macOS/iOS preview support.

Step‑by‑Step Configuration

Step 1:  Validate Device Registration
Devices must be:

  • Entra‑joined
  • Hybrid‑joined
  • Entra‑registered
    This ensures PRT issuance.

Step 2:  Create a Pilot Group
Create group: TokenProtection‑Pilot.

Step 3:  Create Token Protection Conditional Access Policy

  • Go to Entra Admin Center → Identity → Protection → Conditional Access.
  • Click + New Policy.
  • Name it Enable Token Protection (Pilot).
  • Assign:
    • Users: TokenProtection‑Pilot
    • Cloud Apps: Select Office 365, or specific apps (Exchange, SharePoint, Teams).
  • Access Controls → Session → Enable Token Protection
  • Set Require token protection for sign-ins.
  • Enable policy in Report‑only mode.

Step 4:  Move to Full Enforcement
After reviewing logs:

  • Set policy to ON
  • Gradually expand target groups
Validation Steps
  • Go to Sign‑in logs > Check “Token Protection” evaluation result.
    • You should see accepted device‑bound PRTs.
  • Confirm user can still access native apps (Outlook, Teams, OneDrive).
  • Attempt to use token replay:

Export cookies (simulated test) → Should fail due to device binding.

(Documented limitation for browsers. Token replay should fail only in native apps.)

 

======================== Troubleshooting =======================
Issue Cause Solution User blocked from Outlook/Teams Device not registered / not supported Verify Entra join/registration status macOS/iOS failing Not MDM‑managed Enforce MDM requirement for preview support Browser apps unaffected Browsers not supported Use native apps or combine with CA blocking controls Token still reusable App not in supported list Only Teams/SharePoint/Exchange supported currently
Back to top