Token safeguarding, also known as token binding within the industry, aims to diminish the vulnerability to attacks involving token theft. It achieves this by guaranteeing that a token remains functional exclusively on the designated device. In instances where a malicious actor manages to pilfer a token through tactics like hijacking or replay, they gain the ability to impersonate their target until the token's expiration or revocation. Although token theft is perceived as a relatively infrequent occurrence, its potential consequences can be substantial.
Token protection establishes a cryptographically robust connection between the token and the device (referred to as the client secret) for which it was issued. In the absence of the client secret, the tethered token becomes ineffectual.
Requirements
This preview supports the following configurations for access to resources with Token Protection conditional access policies applied:
- Windows 10 or newer devices that are Azure AD joined, hybrid Azure AD joined, or Azure AD registered.
- OneDrive sync client version 22.217 or later
- Teams native client version 1.6.00.1331 or later
- Power BI desktop version 2.117.841.0 (May 2023) or later
- Visual Studio 2022 or later when using the 'Windows authentication broker' Sign-in option
- Office Perpetual clients aren't supported
Known limitations
- External users (Azure AD B2B) aren't supported and shouldn't be included in your Conditional Access policy.
- The following applications don't support signing in using protected token flows and users are blocked when accessing Exchange and SharePoint:
- PowerShell modules accessing Exchange, SharePoint, or Microsoft Graph scopes that are served by Exchange or SharePoint
- PowerQuery extension for Excel
- Extensions to Visual Studio Code which access Exchange or SharePoint
- The new Teams 2.1 preview client gets blocked after sign out due to a bug. This bug should be fixed in a future service update.
- The following Windows client devices aren't supported:
- Windows Server
- Surface Hub
- Windows-based Microsoft Teams Rooms (MTR) systems
Licensing requirements
- Using this feature requires Azure AD Premium P2 licenses.