🛡️ Microsoft Entra ID Token Protection Conditional Access policy is not selected🟢⚪

• Contextual name: 🛡️ Token Protection Conditional Access policy is not selected🟢⚪
• ID: /ce/ca/azure/microsoft-entra-id/conditional-access-policy
• Tags:
  • ⚪ Impossible policy
  • 🟢 Policy with categories
  • 🟢 Policy with type
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Description

Open File

Description

This recommendation ensures that issued tokens are only issued to the intended device.

Rationale

When properly configured, conditional access can aid in preventing attacks involving token theft, via hijacking or reply, as part of the attack flow. Although currently considered a rare event, the impact from token impersonation can be severe.

IMPORTANT: While this recommendation allows exceptions to specific Users or Groups, they should be very carefully tracked and reviewed for necessity on a regular interval through an Access Review process. It is important that this rule be built to include "All Users" to ensure that all users not specifically excepted will be required to use MFA to access Admin Portals.

Impact

A Microsoft Entra ID P1 or P2 license is required.

Start with a Conditional Access policy in "Report Only" mode prior to enforcing for all users.

Audit

From Azure Portal

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Protection > Conditional Access > Policies.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
2. Browse to Protection > Conditional Access > Policies.
3. Select New policy.
4. Give your policy a name.
5. Under Assignments, select Users or workload identities.
   1. Under Include, select the users or groups to apply this policy.
   2. Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts (if applicable).
6. Under Target resources > Resources > Include > Select resources
   1. Under Select, select the following applications:
      1. Office 365 Exchange Online
      2. Office 365 SharePoint Online
   2. Choose Select
7. Under Conditions:
   1. Under Device platforms
      1. Set Configure to Yes.
      2. Include > Select device platforms > Windows.
      3. Select Done.
   2. Under Client apps:
      1. Set Configure to Yes
      2. Under Modern authentication clients, only select Mobile apps and desktop clients.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 5.2.8 Ensure a Token Protection Conditional Access policy is considered (Manual)			1		no data
💼 Cloudaware Framework → 💼 General Access Controls			12		no data