Azure AD Conditional Access Token protection (Preview)

Hi All,

Recently Microsoft has anounced Conditional Access Token Protection Preview.

Token protection (also known as token binding) attempts to reduce attacks using token theft by ensuring a token is usable only from the intended device. When an attacker is able to steal a token, by hijacking or replay, they can impersonate their victim until the token expires or is revoked. Token theft is thought to be a relatively rare event, but the damage from it can be significant.

Token protection creates a cryptographically secure tie between the token and the device (client secret) it’s issued to. Without the client secret, the bound token is useless.

Resources:

• Conditional Access: Token protection (preview)
• Public Preview: Token Protection for Sign-In Sessions

Step by Step

Go to Conditional Access and create a new Policy.

Give it a name and select the Users. In my case i did choose only one user for Testing purposes

Under “Cloud Apps or Actions” i did choose:

• Office 365 Exchange Online
• Office 365 SharePoint Online These are currently the only two Cloud Apps that do support this

Conditions > Device Plattforms > Select “Windows”

Conditions > Client apps > Select “Mobile apps and desktop clients”

Session > Select “Require token protection for sign-in Sessions (Preview)”

I’ve set the Poliy to Enabled (because i am brave) and it worked fine with Outlook, OneDrive and Webbrowser on my AAD Joined Computer.

But i’ve been running in some troubles using M365 Administration PowerShells.

Connect-ExchangeOnline

Error: Sorry, a security olicy is preventing access

Checked the sign-in logs

Was blocked du to the Token Protection Policy

Connect-MicrosoftTeams

Error: Sorry, a security olicy is preventing access

Checked the sign-in logs

Was blocked du to the Token Protection Policy

Connect-pnPOnline -Url https://icewolfch.sharepoint.com/sites/IcewolfDemo -Interactive

Error: Sorry, a security olicy is preventing access

Checked the sign-in logs

Was blocked du to the Token Protection Policy

I had OneDrive Sync Client set up on another Computer (Joined to another Azure AD) and there i had the following Error

Error: Register or enroll your device

Checked the sign-in logs

Was blocked du to the Token Protection Policy

Summary

It’s a good approach and will work for most users in a classic Scenario where the Computer is Joined to AzureAD.

We will see if the PowerShell Modules for Exchange, Teams and Sharepoint will support this Feature over time.

It’s still an early preview and will evolve over time.

Regards
Andres Bohren