Conditional Access is a powerful feature of Microsoft Azure Active Directory that allows organizations to control access to their cloud resources based on various criteria such as user, device, location, and more. Recently, Microsoft has introduced a new feature in Conditional Access called Token Protection, which adds an additional layer of security to protect against token-based attacks.
In this blog post, we will explore Token Protection in detail and see how it can help organizations enhance their security posture.
What is Token Protection?
Token Protection is a new feature in Conditional Access that helps protect against token-based attacks by providing an additional layer of security for access tokens. Access tokens are used to authenticate users and grant them access to cloud resources. Token-based attacks can compromise these access tokens and enable attackers to gain unauthorized access to sensitive data and resources.
Token Protection works by validating the integrity of the access token before allowing access to the requested resource. It uses a combination of signature validation, token binding, and device risk evaluation to ensure that the access token is legitimate and not tampered with.
How does Token Protection work?
Token Protection works by adding an additional layer of security to the authentication process. When a user requests access to a cloud resource, Conditional Access evaluates various criteria such as user, device, location, and more to determine whether the user should be granted access. Token Protection adds an additional layer of evaluation to this process by validating the integrity of the access token itself.
Token Protection uses three main mechanisms to ensure the validity of the access token:
- Signature Validation: Token Protection validates the signature of the access token to ensure that it has not been tampered with. The signature is generated using a private key and can only be validated using the corresponding public key.
- Token Binding: Token Protection binds the access token to the device that was used to request it. This ensures that the access token can only be used on the device it was originally issued for.
- Device Risk Evaluation: Token Protection evaluates the risk associated with the device used to request the access token. If the device is deemed risky, access to the requested resource may be denied.
By using these mechanisms, Token Protection ensures that access tokens are legitimate and not tampered with, reducing the risk of token-based attacks.
How to enable Token Protection?
Enabling Token Protection is a straightforward process. To get started, you must first enable Conditional Access in your Azure Active Directory tenant. Once Conditional Access is enabled, you can create a policy that includes Token Protection as a requirement.
To enable Token Protection in your Conditional Access policy, you just need to create or update your policy to include “require protection for sign-in sessions”.