When an attacker steals a user’s token after a successful login, they gain the ability to impersonate the user and access protected resources without requiring a re-login. This method is becoming more commonly used to bypass security measures like Multi-Factor Authentication (MFA).

This blog post presents some easy to implement steps to better protect against token theft. There are many other protection options that are not covered here. As the security landscape continually evolves, it’s essential to regularly review and adjust security practices to remain prepared for new threats. This article will be updated periodically to incorporate new methods and insights.

Prerequisites and Licensing

Licenses

The steps described here require different licenses, as they require different functions:

FeatureLicense
Microsoft Entra Conditional AccessMicrosoft Entra ID P1
Token protectionMicrosoft Entra ID P2
Microsoft IntuneMicrosoft Intune P1

An overview of the Microsoft license packages and their features can be accessed at https://m365maps.com/.

Roles Based on the Principle of Least Privilege

The following Microsoft Entra roles can be used for the configuration:

RolePermission
Conditional Access AdministratorCan manage Conditional Access capabilities
Reports ReaderCan read sign-in and audit reports
Intune AdministratorCan manage all aspects of the Intune product

Enable Token Protection

Token protection cryptographically binds tokens to enrolled or registered devices. This ensures that a token can only be used on the device for which it was issued. As a result, it prevents tokens from being used on another device and exploited by attackers. Token protection leverages signatures composed of device information and security attributes.

Token protection is currently in preview and is supported for Microsoft Entra Conditional Access on mobile apps and desktop applications accessing Exchange Online and SharePoint Online from Windows devices. Applications and platforms are continuously being expanded.

Token protection is enabled through Microsoft Entra Conditional Access.

Open Microsoft Entra admin center (https://entra.microsoft.com) and navigate to Protect > Conditional Access, then select Create new policy.

Assign a Name to the Microsoft Entra Conditional Access policy. The naming conventions are described here: Conditional Access framework and policies – Azure Architecture Center | Microsoft Learn

Select Users and groups for this policy. Emergency accounts should be excluded.

Set the Target resources to Office 365 Exchange Online and Office 365 SharePoint Online. As of the time of writing this blog post, these are the only resources that support token protection.

Set the Conditions for the Device platform to Windows.

Set the Conditions for the Client apps to Mobile apps and desktop clients.

Under Session, enable the feature Require token protection for sign-in sessions.

The policy is enabled with On and saved with Save.

The policy has been successfully created, and token protection has been activated.

Functionality check

Sign-in with a enrolled or registered device

The implementation of Microsoft Entra Conditional Access for token protection can be tracked in the sign-in logs. In the following example, the sign-in was performed on an enrolled or registered device.

Microsoft Entra admin center (https://entra.microsoft.com) > Identity > Users > All users > Sign-in logs

Sign-in with an unenrolled or unregistered device

If a user signs in from an unenrolled or unregistered device, they will be prompted to register or enroll the device before a token can be issued.

The sign-in log shows that the token could not be issued.

Microsoft Entra admin center (https://entra.microsoft.com) > Identity > Users > All users > Sign-in logs

Enforce Device Compliance

Device compliance can be verified using Microsoft Entra Conditional Access. The compliance criteria can be customized individually in Microsoft Intune. A detailed description of these configuration options is beyond the scope of this blog post. For more information: Create device compliance policies in Microsoft Intune | Microsoft Learn

Open Microsoft Entra admin center (https://entra.microsoft.com) and navigate to Protect > Conditional Access, then select Create new policy

Assign a Name to the Microsoft Entra Conditional Access policy. The naming conventions are described here: Conditional Access framework and policies – Azure Architecture Center | Microsoft Learn

Select Users and groups for this policy, ensuring that Emergency accounts and, if necessary, additional accounts are excluded to prevent accidental lockout.

Set the Target resources to All Resources (formerly All Cloud Apps). Alternatively, you can choose specific applications, such as SharePoint Online or Exchange Online.

If needed, additional granular criteria can be configured under Conditions, such as applying the policy only to specific device platforms like Windows, Android, or iOS.

Enable the option Require device to be marked as compliant under Grant. This enforces the device compliance policy from Microsoft Intune, allowing only devices that meet the requirements of this policy.

Review the configuration to ensure that accounts are not accidentally locked out. If needed, the Microsoft Entra Conditional Access policy can also be tested in Report-only mode.
The policy is enabled with On and saved with Save.

The policy has been successfully created and enforces device compliance.

Functionality check

User Sign-In

When trying to sign in to an application with a device that does not meet the compliance policies, the following error message will appear.

Error code 53000 indicates that the device does not meet the compliance requirements.

A comprehensive overview of the AADSTS error codes and their descriptions is available for further details: Microsoft Entra authentication & authorization error codes – Microsoft identity platform | Microsoft Learn

Sign-in Logs

The sign-in attempt will appear in the sign-in logs with the sign-in error 53000.

Microsoft Entra admin center (https://entra.microsoft.com) > Identity > Users > All users > Sign-In logs

Check Enrolled or Registered Devices

A Microsoft Entra Conditional Access policy checks whether devices in Microsoft Entra are Microsoft Entra joined, hybrid joined or registered. If the devices are not enrolled or registered in any of these ways, access will be blocked.

Open Microsoft Entra admin center (https://entra.microsoft.com) and navigate to Protect > Conditional Access, then select Create new policy.

Assign a Name to the Microsoft Entra Conditional Access policy. The naming conventions are described here: Conditional Access framework and policies – Azure Architecture Center | Microsoft Learn

Select Users and groups for this policy, ensuring that Emergency accounts and, if necessary, additional accounts are excluded to prevent accidental lockout.

Set the Target resources to All Resources (formerly All Cloud Apps). Alternatively, you can choose specific applications, such as SharePoint Online or Exchange Online.

The devices enrollment is checked under Conditions.
1. Select Filter for devices
2. Set Configure to Yes
3. Select the option Exclude filtered devices from policy
4. Set TrustType to the desired values when multiple registration types are allowed, ensuring that the logical operator is set to OR
Microsoft Entra joined
Microsoft Entra hybrid joined
Microsoft Entra registered
5. Click Add expression
6. The filter criterion will be inserted
7. Save the filter with Done

Activate the Block access option under Grant. The policy should block all devices that do not meet the device filter criteria.

Review the configuration to ensure that accounts are not accidentally locked out. If needed, the Microsoft Entra Conditional Access policy can also be tested in Report-only mode.
The policy is enabled with On and saved with Save.

The policy has been successfully created and enforces the device filter.

Functionality check

User Sign-In

When attempting to sign in from a device that is not Microsoft Entra joined, Microsoft Entra hybrid joined or Microsoft Entra registered, the following error message will appear:

Error code 53003 indicates that the sign-in was blocked by a Microsoft Entra Conditional Access policy.

A comprehensive overview of the AADSTS error codes and their descriptions is available for further details: Microsoft Entra authentication & authorization error codes – Microsoft identity platform | Microsoft Learn

Sign-in Logs

The sign-in attempt will appear in the sign-in logs with the sign-in error 53003.

Microsoft Entra admin center (https://entra.microsoft.com) > Identity > Users > All users > Sign-In logs

Configuring Credential Guard and Local Security Authority (LSA)

Windows devices can be better protected against modern threats by configuring Credential Guard and Local Security Authority (LSA), significantly complicating attacks and reducing the risk of sign-in token theft.

Credential Guard and Local Security Authority (LSA) are managed with a configuration policy in the Microsoft Intune admin center (https://intune.microsoft.com).

Devices > Manage devices > Configuration > Policies > Create > New Policy

Select the platform Windows 10 and later (1), profile type Settings catalog (2), and create the policy by clicking Create (3).

Name the configuration profile (e.g., WCP_PreventTokenTheft) and click Next.

Click Add settings (1), set the filter to Device Guard (2), and select Credential Guard (3).
Set the Credential Guard (4) option to Enabled with UEFI lock.

Click Add settings (1), set the filter to Local Security Authority (2), and select Configure LSA Protected Process (3).
Set the Configure LSA Protected Process (4) option to Enabled with UEFI lock.

Create Scope tags according to individual requirements.

Assignments can be customized according to specific requirements.

The settings are shown for review, and by clicking Create, the policy will be created.

The policy is now created and will be deployed to the devices.

The policy will be applied to the assigned devices after a short time.


Follow me on LinkedIn and BlueSky to always stay updated on my recent posts.

Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!

Buy me a coffee