Token Protection in Azure AD Conditional Access (preview)

  • 23 november 2023
  • 3 min leestijd

Conditional Access is a powerful feature of Microsoft Azure Active Directory that allows organizations to control access to their cloud resources based on various criteria such as user, device, location, and more. Recently, Microsoft has introduced a new feature in Conditional Access called Token Protection, which adds an additional layer of security to protect against token-based attacks.rnrnIn this blog post, we will explore Token Protection in detail and see how it can help organizations enhance their security posture.rnrnu003cstrongu003eWhat is Token Protection?u003c/strongu003ernrnToken Protection is a new feature in Conditional Access that helps protect against token-based attacks by providing an additional layer of security for access tokens. Access tokens are used to authenticate users and grant them access to cloud resources. Token-based attacks can compromise these access tokens and enable attackers to gain unauthorized access to sensitive data and resources.rnrnToken Protection works by validating the integrity of the access token before allowing access to the requested resource. It uses a combination of signature validation, token binding, and device risk evaluation to ensure that the access token is legitimate and not tampered with.rnrnu003cstrongu003eHow does Token Protection work?u003c/strongu003ernrnToken Protection works by adding an additional layer of security to the authentication process. When a user requests access to a cloud resource, Conditional Access evaluates various criteria such as user, device, location, and more to determine whether the user should be granted access. Token Protection adds an additional layer of evaluation to this process by validating the integrity of the access token itself.rnrnToken Protection uses three main mechanisms to ensure the validity of the access token:rnu003colu003ern tu003cliu003eSignature Validation: Token Protection validates the signature of the access token to ensure that it has not been tampered with. The signature is generated using a private key and can only be validated using the corresponding public key.u003c/liu003ern tu003cliu003eToken Binding: Token Protection binds the access token to the device that was used to request it. This ensures that the access token can only be used on the device it was originally issued for.u003c/liu003ern tu003cliu003eDevice Risk Evaluation: Token Protection evaluates the risk associated with the device used to request the access token. If the device is deemed risky, access to the requested resource may be denied.u003c/liu003ernu003c/olu003ernBy using these mechanisms, Token Protection ensures that access tokens are legitimate and not tampered with, reducing the risk of token-based attacks.rnrnu003cstrongu003eHow to enable Token Protection?u003c/strongu003ernrnEnabling Token Protection is a straightforward process. To get started, you must first enable Conditional Access in your Azure Active Directory tenant. Once Conditional Access is enabled, you can create a policy that includes Token Protection as a requirement.rnrnTo enable Token Protection in your Conditional Access policy, you just need to create or update your policy to include “require protection for sign-in sessions”.