top of page
  • Writer's pictureJames Agombar

Conditional Access Policies - Token Protection (currently in preview)

Token protection helps to reduce an attack surface through binding a token to the device and preventing against "replay attacks" where a malicious actor will steal the token and gain unauthorised access without requiring additional authentication methods.

Microsoft have recently released a new Conditional Access Policy so companies can start protecting against these attack methods, however please note it's currently in preview and lacking full functionality.

Known limitations

  • External users (Azure AD B2B) aren't supported and shouldn't be included in your Conditional Access policy.

  • The following applications don't support signing in using protected token flows and users are blocked when accessing Exchange and SharePoint:

    • Power BI Desktop client

    • PowerShell modules accessing Exchange, SharePoint, or Microsoft Graph scopes that are served by Exchange or SharePoint

    • PowerQuery extension for Excel

    • Extensions to Visual Studio Code which access Exchange or SharePoint

    • Visual Studio

The following Windows client devices aren't supported:

  • Windows Server

  • Surface Hub


This preview supports the following configurations:

  • Windows 10 or newer devices that are Azure AD joined, hybrid Azure AD joined, or Azure AD registered.

  • OneDrive sync client version 22.217 or later

  • Teams native client version or later

  • Office Perpetual clients aren't supported

Supported Applications in current Preview

  • Office 365 Exchange Online

  • Office 365 SharePoint Online

Let's create a 'Report Only' Conditional Access Policy


Create a new Security Group suitably named for this new test e.g. 'Token Protection Policy'.

Under conditional access policies, click 'New'. Give the policy a name e.g. 'Token Protection Policy'. Click on Users (under assignments), click 'Select users and groups' and choose the test group you created earlier.

Under Cloud apps or actions, click 'Select apps' and choose 'Office 365 Exchange Online' and 'Office 365 Sharepoint Online'.

Under 'Conditions' > 'Device Platforms', click 'Yes' under Configure, then ensure only 'Windows' is ticked.

Under 'Conditions' > 'Client apps', click 'Yes' under Configure and then ensure only 'Mobile apps and desktop clients'

Under 'Sessions', tick 'Require token protection for sign-in sessions (Preview)' then select.

Final steps:

Under 'Enable policy' leave the default option of Report-Only and click 'Create'. This is always good practice to protect you against any accidental misconfiguration, plus you can monitor behaviour for a few days to check for any unusual behaviour in the logs.

Once you're confident everything is working as expected, change the policy to 'On', and add more users to the security group as needed.

90 views0 comments


bottom of page