Description
This recommendation ensures that issued tokens are only issued to the intended device.
Rationale
When properly configured, conditional access can aid in preventing attacks involving token theft, via hijacking or reply, as part of the attack flow. Although currently considered a rare event, the impact from token impersonation can be severe.
IMPORTANT: While this recommendation allows exceptions to specific Users or Groups, they should be very carefully tracked and reviewed for necessity on a regular interval through an Access Review process. It is important that this rule be built to include "All Users" to ensure that all users not specifically excepted will be required to use MFA to access Admin Portals.
Impact
A Microsoft Entra ID P1 or P2 license is required.
Start with a Conditional Access policy in "Report Only" mode prior to enforcing for all users.
Audit
From Azure Portal
- Sign in to the Microsoft Entra admin center as at least a
Conditional Access Administrator. - Browse to
Protection>Conditional Access>Policies. - Review existing policies to ensure that at least one policy contains the following configuration:
- Under
Assignments, reviewUsers or workload identitiesand- Under
Include, ensure the scope of the users or groups is appropriate for your organization - Under
Exclude, ensure only necessary users and groups (your organization's emergency access or break-glass accounts) are excepted.
- Under
- Under
Target resources>Resources>Include>Select resources:Ensure that bothOffice 365 Exchange OnlineandOffice 365 SharePoint Onlineare selected. - Under
Conditions>Device Platforms: EnsureConfigureis set toYesandIncludeindicatesWindowsplatforms. - Under
Conditions>Client Apps: EnsureConfigureis set toYesandMobile Apps and Desktop Clientsis selected under Modern Authentication Clients - Under
Access controls>Session, ensure thatRequire token protection for sign-in sessionsis selected.
Default Value
A Token Protection Conditional Access policy does not exist by default.