{
	"id": "5e527664-9e35-440b-b340-e4c28aee12a6",
	"created_at": "2026-04-06T02:11:01.937321Z",
	"updated_at": "2026-04-10T03:21:25.507926Z",
	"deleted_at": null,
	"sha1_hash": "2995747ec4e9cdd0e18d072384925132b729c18d",
	"title": "How Token Protection Enhances Conditional Access Policies - Microsoft Entra ID",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 94188,
	"plain_text": "How Token Protection Enhances Conditional Access Policies -\r\nMicrosoft Entra ID\r\nBy kenwith\r\nArchived: 2026-04-06 01:49:46 UTC\r\nIn this article\r\n1. Overview\r\n2. Platform availability\r\n3. Supported resources\r\n4. Deployment\r\n5. Related content\r\nToken Protection is a Conditional Access session control that attempts to reduce token replay attacks by ensuring\r\nonly device bound sign-in session tokens, like Primary Refresh Tokens (PRTs), are accepted by Microsoft Entra\r\nID when applications request access to protected resources.\r\nWhen a user registers a supported device with Microsoft Entra, a PRT is issued and cryptographically bound to\r\nthat device. This binding ensures that even if a threat actor steals the token, it can't be used from another device.\r\nWith Token Protection enforced, Microsoft Entra validates that only these bound sign-in session tokens are used\r\nby supported applications.\r\nPlatform Status\r\nWindows Generally Available\r\niOS / iPadOS Preview\r\nmacOS Preview\r\nNote\r\nToken Protection currently supports native applications only. Browser-based applications are not supported.\r\nToken Protection policy can be enforced on the following cloud resources:\r\nExchange Online\r\nSharePoint Online\r\nMicrosoft Teams\r\nOn Windows, enforcement is also supported for:\r\nAzure Virtual Desktop\r\nhttps://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection\r\nPage 1 of 3\n\nWindows 365\r\nWindows:\r\nWindows 10 or newer devices that are Microsoft Entra joined, Microsoft Entra hybrid joined, or Microsoft\r\nEntra registered. See the known limitations section in the appropriate deployment guide for unsupported\r\ndevice types.\r\nWindows Server 2019 or newer that are hybrid Microsoft Entra joined.\r\nhttps://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection\r\nPage 2 of 3\n\nFor detailed steps on how to register your device, see Register your personal device on your work or school\r\nnetwork.\r\nApple (Preview):\r\nmacOS 14.0 or later. Requires the Microsoft Enterprise single sign-on (SSO) plug-in. Alternatively, you\r\ncan also use Platform SSO. Only MDM-managed devices are supported.\r\niOS / iPadOS 16.0 or later. Requires the Microsoft Enterprise SSO plug-in. Only MDM-managed devices\r\nare supported.\r\nFor detailed steps on how to set up, see Enabling Microsoft Enterprise SSO plug-in and configuring\r\nPlatform SSO for macOS.\r\nTo minimize the likelihood of user disruption due to app or device incompatibility, follow these recommendations:\r\nStart with a pilot group of users and expand over time.\r\nCreate a Conditional Access policy in report-only mode before enforcing token protection.\r\nCapture both interactive and non-interactive sign-in logs.\r\nAnalyze these logs long enough to cover normal application use.\r\nAdd known, reliable users to an enforcement policy.\r\nThis process helps assess your users' client and app compatibility for token protection enforcement.\r\nSelect the guide for your target platform:\r\nWindows: Token Protection deployment guide - Windows\r\niOS, iPadOS, and macOS: Token Protection deployment guide - Apple\r\nWhat is a Primary Refresh Token?\r\nAdditional resources\r\nTraining\r\nLast updated on 03/24/2026\r\nSource: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection\r\nhttps://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection"
	],
	"report_names": [
		"concept-token-protection"
	],
	"threat_actors": [],
	"ts_created_at": 1775441461,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2995747ec4e9cdd0e18d072384925132b729c18d.pdf",
		"text": "https://archive.orkl.eu/2995747ec4e9cdd0e18d072384925132b729c18d.txt",
		"img": "https://archive.orkl.eu/2995747ec4e9cdd0e18d072384925132b729c18d.jpg"
	}
}