Published: May 12, 2023
Microsoft has recently introduced Token Protection for sign-in sessions support for its Azure AD Conditional Access service. The new feature is designed to help organizations protect their critical resources against token theft.
Last fall, Microsoft’s Detection and Response Team (DART) reported an increase in adversary-in-the-middle (AitM) phishing attacks to compromise organizational resources. This technique allows users to gain unauthorized access to sensitive data stored in user mailboxes, SharePoint Online sites, and other services without MFA.
“Token Protection ensures that tokens can only be used on the intended device. When enforced through Conditional Access policies, tokens authorizing access to resources must come from the device where the user originally signed in. This provides the best available protection for your high-value users and data against breaches involving token theft,” Microsoft explained.
Microsoft mentioned that the Token Protection for sign-in sessions feature will make it easier for IT admins to prevent, detect, and respond to cloud token theft. As of this writing, it only supports Office 365 apps, including SharePoint sites and Exchange mailboxes.
Additionally, the feature allows users to block stolen Windows native client Refresh Tokens. Microsoft plans to bring this capability to other apps, data & token types, as well as client platforms in the future. The preview feature will also add support for Microsoft Teams and other services.
Microsoft notes that Token Protection for sign-in sessions is currently available in preview on Windows 11 and Windows 10 devices. The company is also working to introduce token theft protection capabilities to macOS, Linux, Android, and iOS devices. Other upcoming updates include an App session token protection feature that will let users limit theft and replay of access tokens.