When an attacker steals a user’s token after a successful login, they gain the ability to impersonate the user and access protected resources without requiring a re-login. This method is becoming more commonly used to bypass security measures like Multi-Factor Authentication (MFA).
This blog post presents some easy to implement steps to better protect against token theft. There are many other protection options that are not covered here. As the security landscape continually evolves, it’s essential to regularly review and adjust security practices to remain prepared for new threats. This article will be updated periodically to incorporate new methods and insights.
Prerequisites and Licensing
Licenses
The steps described here require different licenses, as they require different functions:
Feature | License |
Microsoft Entra Conditional Access | Microsoft Entra ID P1 |
Token protection | Microsoft Entra ID P2 |
Microsoft Intune | Microsoft Intune P1 |
An overview of the Microsoft license packages and their features can be accessed at https://m365maps.com/.
Roles Based on the Principle of Least Privilege
The following Microsoft Entra roles can be used for the configuration:
Role | Permission |
Conditional Access Administrator | Can manage Conditional Access capabilities |
Reports Reader | Can read sign-in and audit reports |
Intune Administrator | Can manage all aspects of the Intune product |
Enable Token Protection
Token protection cryptographically binds tokens to enrolled or registered devices. This ensures that a token can only be used on the device for which it was issued. As a result, it prevents tokens from being used on another device and exploited by attackers. Token protection leverages signatures composed of device information and security attributes.
Token protection is currently in preview and is supported for Microsoft Entra Conditional Access on mobile apps and desktop applications accessing Exchange Online and SharePoint Online from Windows devices. Applications and platforms are continuously being expanded.
Token protection is enabled through Microsoft Entra Conditional Access.
Open Microsoft Entra admin center (https://entra.microsoft.com) and navigate to Protect > Conditional Access, then select Create new policy.
![Micorosft Entra Conditional Access Create new policy](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-001-1024x575.png)
Assign a Name to the Microsoft Entra Conditional Access policy. The naming conventions are described here: Conditional Access framework and policies – Azure Architecture Center | Microsoft Learn
![Microsoft Entra Conditional Access Token Protection Name](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-031-1024x575.png)
Select Users and groups for this policy. Emergency accounts should be excluded.
![Microsoft Entra Conditional Access Token Protection Users](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-032-1024x575.png)
Set the Target resources to Office 365 Exchange Online and Office 365 SharePoint Online. As of the time of writing this blog post, these are the only resources that support token protection.
![Microsoft Entra Conditional Access Token Protection Target resources](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-033-1024x575.png)
Set the Conditions for the Device platform to Windows.
![Microsoft Entra Conditional Access Token Protection Conditions Device platforms](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-034-1024x575.png)
Set the Conditions for the Client apps to Mobile apps and desktop clients.
![Microsoft Entra Conditional Access Token Protection Conditions Client apps](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-035-1024x575.png)
Under Session, enable the feature Require token protection for sign-in sessions.
![Microsoft Entra Conditional Access Token Protection Session](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-036-1024x575.png)
The policy is enabled with On and saved with Save.
![Microsoft Entra Conditional Access Token Protection Enable policy](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-037-1024x575.png)
The policy has been successfully created, and token protection has been activated.
![Microsoft Entra Conditional Access Overview CA004-Global-DataProtection-EXO-SPO-AnyPlatforms-TokenProtection](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-038-1024x575.png)
Functionality check
Sign-in with a enrolled or registered device
The implementation of Microsoft Entra Conditional Access for token protection can be tracked in the sign-in logs. In the following example, the sign-in was performed on an enrolled or registered device.
Microsoft Entra admin center (https://entra.microsoft.com) > Identity > Users > All users > Sign-in logs
![Microsoft Entra Sign-in logs Token Protection](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-048-1024x575.png)
Sign-in with an unenrolled or unregistered device
If a user signs in from an unenrolled or unregistered device, they will be prompted to register or enroll the device before a token can be issued.
![Microsoft Entra Conditional Access Token Protection Register or enroll device](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-050.png)
The sign-in log shows that the token could not be issued.
Microsoft Entra admin center (https://entra.microsoft.com) > Identity > Users > All users > Sign-in logs
![Microsoft Entra Sign-in logs Token Protection Failure](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-051-1024x575.png)
Enforce Device Compliance
Device compliance can be verified using Microsoft Entra Conditional Access. The compliance criteria can be customized individually in Microsoft Intune. A detailed description of these configuration options is beyond the scope of this blog post. For more information: Create device compliance policies in Microsoft Intune | Microsoft Learn
Open Microsoft Entra admin center (https://entra.microsoft.com) and navigate to Protect > Conditional Access, then select Create new policy
![Micorosft Entra Conditional Access Create new policy](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-001-1024x575.png)
Assign a Name to the Microsoft Entra Conditional Access policy. The naming conventions are described here: Conditional Access framework and policies – Azure Architecture Center | Microsoft Learn
![Microsoft Entra Conditional Access Name](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-002-1024x575.png)
Select Users and groups for this policy, ensuring that Emergency accounts and, if necessary, additional accounts are excluded to prevent accidental lockout.
![Microsoft Entra Conditional Access Users](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-003-1024x575.png)
Set the Target resources to All Resources (formerly All Cloud Apps). Alternatively, you can choose specific applications, such as SharePoint Online or Exchange Online.
![Microsoft Entra Conditional Access Target resources](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-004-1024x575.png)
If needed, additional granular criteria can be configured under Conditions, such as applying the policy only to specific device platforms like Windows, Android, or iOS.
![Microsoft Entra Conditional Access Conditions](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-005-1024x575.png)
Enable the option Require device to be marked as compliant under Grant. This enforces the device compliance policy from Microsoft Intune, allowing only devices that meet the requirements of this policy.
![Microsoft Entra Conditional Access Grant](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-006-1024x575.png)
Review the configuration to ensure that accounts are not accidentally locked out. If needed, the Microsoft Entra Conditional Access policy can also be tested in Report-only mode.
The policy is enabled with On and saved with Save.
![Microsoft Entra Conditional Access Enable policy](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-007-1024x575.png)
The policy has been successfully created and enforces device compliance.
![Microsoft Entra Conditional Access Overview CA002-Global-DataProtection-AllApps-AllPlatforms-Compliant](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-008-1024x575.png)
Functionality check
User Sign-In
When trying to sign in to an application with a device that does not meet the compliance policies, the following error message will appear.
Error code 53000 indicates that the device does not meet the compliance requirements.
A comprehensive overview of the AADSTS error codes and their descriptions is available for further details: Microsoft Entra authentication & authorization error codes – Microsoft identity platform | Microsoft Learn
![AADSTS-Errorcode 53000](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-009-01.png)
Sign-in Logs
The sign-in attempt will appear in the sign-in logs with the sign-in error 53000.
Microsoft Entra admin center (https://entra.microsoft.com) > Identity > Users > All users > Sign-In logs
![Sign-In Logs](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-010-1024x575.png)
Check Enrolled or Registered Devices
A Microsoft Entra Conditional Access policy checks whether devices in Microsoft Entra are Microsoft Entra joined, hybrid joined or registered. If the devices are not enrolled or registered in any of these ways, access will be blocked.
Open Microsoft Entra admin center (https://entra.microsoft.com) and navigate to Protect > Conditional Access, then select Create new policy.
![Micorosft Entra Conditional Access Create new policy](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-001-1024x575.png)
Assign a Name to the Microsoft Entra Conditional Access policy. The naming conventions are described here: Conditional Access framework and policies – Azure Architecture Center | Microsoft Learn
![Microsoft Entra Conditional Access Device Registration Name](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-011-1024x575.png)
Select Users and groups for this policy, ensuring that Emergency accounts and, if necessary, additional accounts are excluded to prevent accidental lockout.
![Microsoft Entra Conditional Access Device Registration Users](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-012-1024x575.png)
Set the Target resources to All Resources (formerly All Cloud Apps). Alternatively, you can choose specific applications, such as SharePoint Online or Exchange Online.
![Microsoft Entra Conditional Access Device Registration Target resources](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-013-1024x575.png)
The devices enrollment is checked under Conditions.
1. Select Filter for devices
2. Set Configure to Yes
3. Select the option Exclude filtered devices from policy
4. Set TrustType to the desired values when multiple registration types are allowed, ensuring that the logical operator is set to OR
– Microsoft Entra joined
– Microsoft Entra hybrid joined
– Microsoft Entra registered
5. Click Add expression
6. The filter criterion will be inserted
7. Save the filter with Done
![Microsoft Entra Conditional Access Device Registration Filter for devices](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-014-1024x575.png)
Activate the Block access option under Grant. The policy should block all devices that do not meet the device filter criteria.
![Microsoft Entra Conditional Access Device Registration Block](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-015-1024x575.png)
Review the configuration to ensure that accounts are not accidentally locked out. If needed, the Microsoft Entra Conditional Access policy can also be tested in Report-only mode.
The policy is enabled with On and saved with Save.
![Microsoft Entra Conditional Access Device Registration Enable policy](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-016-1024x575.png)
The policy has been successfully created and enforces the device filter.
![Microsoft Entra Conditional Access Overview CA003-Global-DataProtection-AllApps-AnyPlatforms-Unregistered-Block](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-024-1024x614.png)
Functionality check
User Sign-In
When attempting to sign in from a device that is not Microsoft Entra joined, Microsoft Entra hybrid joined or Microsoft Entra registered, the following error message will appear:
Error code 53003 indicates that the sign-in was blocked by a Microsoft Entra Conditional Access policy.
A comprehensive overview of the AADSTS error codes and their descriptions is available for further details: Microsoft Entra authentication & authorization error codes – Microsoft identity platform | Microsoft Learn
![AADSTS-Errorcode 53003](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-017.png)
Sign-in Logs
The sign-in attempt will appear in the sign-in logs with the sign-in error 53003.
Microsoft Entra admin center (https://entra.microsoft.com) > Identity > Users > All users > Sign-In logs
![Sign-In Logs Errorcode 53003](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-018-1024x575.png)
![Sign-In Logs Conditional Access Errorcode 53003](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-052-1024x575.png)
Configuring Credential Guard and Local Security Authority (LSA)
Windows devices can be better protected against modern threats by configuring Credential Guard and Local Security Authority (LSA), significantly complicating attacks and reducing the risk of sign-in token theft.
Credential Guard and Local Security Authority (LSA) are managed with a configuration policy in the Microsoft Intune admin center (https://intune.microsoft.com).
Devices > Manage devices > Configuration > Policies > Create > New Policy
![Microsoft Intune Credential Guard New Policy](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-039-1024x575.png)
Select the platform Windows 10 and later (1), profile type Settings catalog (2), and create the policy by clicking Create (3).
![Microsoft Intune Credential Guard Create a profile](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-040-1024x575.png)
Name the configuration profile (e.g., WCP_PreventTokenTheft) and click Next.
![Microsoft Intune Credential Guard Profile Name](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-041-1024x575.png)
Click Add settings (1), set the filter to Device Guard (2), and select Credential Guard (3).
Set the Credential Guard (4) option to Enabled with UEFI lock.
![Microsoft Intune Credential Guard Enabled with UEFI lock](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-042-1024x575.png)
Click Add settings (1), set the filter to Local Security Authority (2), and select Configure LSA Protected Process (3).
Set the Configure LSA Protected Process (4) option to Enabled with UEFI lock.
![Microsoft Intune Credential Guard Enabled with UEFI lock](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-043-1024x575.png)
Create Scope tags according to individual requirements.
![Microsoft Intune Credential Guard Scope tags](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-044-1024x575.png)
Assignments can be customized according to specific requirements.
![Microsoft Intune Credential Guard Assignments](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-045-1024x575.png)
The settings are shown for review, and by clicking Create, the policy will be created.
![Microsoft Intune Credential Guard Review + create](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-046-1024x575.png)
The policy is now created and will be deployed to the devices.
![Microsoft Intune Credential Guard Configuration Overview](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-047-1024x575.png)
The policy will be applied to the assigned devices after a short time.
![Microsoft Intune Credential Guard Configuration Rollout](https://www.cloudkaffee.ch/wp-content/uploads/2024/12/preventing-token-theft-effective-methods-for-microsoft-entra-049-1024x575.png)
Follow me on LinkedIn and BlueSky to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!