Blog Post

Core Infrastructure and Security Blog
9 MIN READ

Token Protection by using Microsoft Entra ID.

SantoshPargi's avatar
SantoshPargi
Icon for Microsoft rankMicrosoft
Nov 18, 2024

In this article we will talk about the basics of Tokens, the importance of Token protection and using Entra ID to protect Tokens.

As organizations move to the cloud and adopt SaaS applications, identities are becoming increasingly crucial for accessing resources. Cybercriminals exploit legitimate and authorized identities to steal data and access credentials through methods like phishing, malware, data breaches, brute-force/password spray attacks, and prior compromises.

  • As in past years, password-based attacks on users constitute most identity-related attacks.
  • As MFA blocks most password-based attacks, threat actors are shifting their focus, moving up the cyberattack chain in three ways: 1) attacking infrastructure, 2) bypassing authentication, and 3) exploiting applications.
  • They are leaning more heavily into adversary-in-the-middle (AiTM) phishing attacks and token theft. Over the last year, as Microsoft Digital Defense Report (MDDR 2024) a 146% rise in AiTM phishing attacks.

In AiTM attack , the attackers steal tokens instead of passwords. The Frameworks used by attackers go far beyond credential phishing, by inserting malicious infrastructure between the user and the legitimate application the user is trying to access. When the user is phished, the malicious infrastructure captures both the credentials of the user, and the token.

 

 

By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. Now it is imperative that tokens must be protected from token theft. Let us understand more on tokens.

An Entra identity token is a security token issued by Microsoft Entra ID for authentication and authorization. There are several types:

  • Access Tokens: Grant access to resources on behalf of an authenticated user, containing user and resource information.
  • ID Tokens: Authenticate users, issued in the OpenID Connect flow, containing user identity and authentication details.
  • Refresh Tokens: Obtain new access tokens without re-authentication, usually issued with access tokens and have a longer lifespan.

 

Ensuring Token Security

By following best practices, you can significantly enhance the security of your tokens and protect your applications from unauthorized access.

Use Secure Transmission: Always transmit tokens over secure channels such as HTTPS to prevent interception by unauthorized parties.

Token Binding: Implement Token Protection (formerly known as token binding) to cryptographically tie tokens to client secrets. This prevents token replay attacks from different devices.

Conditional Access Policies: Use Conditional Access policies to enforce compliant network checks. This ensures that tokens are only used from trusted networks and devices.

Continuous Access Evaluation (CAE): Implement CAE to continuously evaluate the security state of the session. This helps in detecting and revoking tokens if there are changes in the user's security posture, such as network location changes.

Short Token Lifetimes: Use short lifetimes for access tokens and refresh tokens to limit the window of opportunity for attackers.

Secure Storage: Store tokens securely on the client side, using secure storage mechanisms provided by the operating system, such as Keychain on iOS or Keystore on Android.

Regular Audits and Monitoring: Regularly audit token usage and monitor for any unusual activity. This helps in early detection of potential security breaches.

 

Now we will discuss Entra ID new features for Token Protection.  

  1. Token protection using conditional access : This feature will provide refresh token protection.
  2. Compliant network check with Conditional Access: This feature will provide both refresh token and Access token protection.

 

Token protection using conditional access:

Token protection (sometimes referred to as token binding in the industry) attempts to reduce attacks using token theft by ensuring a token is usable only from the intended device. When an attacker is able to steal a token, by hijacking or replay, they can impersonate their victim until the token expires or is revoked. Token theft is thought to be a relatively rare event, but the damage from it can be significant.

Token protection creates a cryptographically secure tie between the token and the device (client secret) it's issued to. Without the client secret, the bound token is useless. When a user registers a Windows 10 or newer device in Microsoft Entra ID, their primary identity is bound to the device. What this means: A policy can ensure that only bound sign-in session (or refresh) tokens, otherwise known as Primary Refresh Tokens (PRTs) are used by applications when requesting access to a resource.

Token protection is currently in public preview

Create a Conditional Access policy

Users who perform specialized roles like those described in Privileged access security levels are possible targets for this functionality. We recommend piloting with a small subset to begin.

The steps that follow help create a Conditional Access policy to require token protection for Exchange Online and SharePoint Online on Windows devices.

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access > Policies.
  3. Select New policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.
    • Under Include, select the users or groups who are testing this policy.
    • Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.

6.Under Target resources > Resources (formerly cloud apps) > Include > Select resources

    • Under Select, select the following applications supported by the preview:
      • Office 365 Exchange Online
      • Office 365 SharePoint Online
    • Choose Select.

7. Under Conditions:

    • Under Device platforms:
      • Set Configure to Yes.
      • Include > Select device platforms > Windows.
      • Select Done.
    • Under Client apps:
      • Set Configure to Yes
      • Under Modern authentication clients, only select Mobile apps and desktop clients. Leave other items unchecked.
      • Select Done.

8. Under Access controls > Session, select Require token protection for sign-in sessions and select Select.

9. Confirm your settings and set Enable policy to Report-only.

10.Select Create to create to enable your policy.

After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.

 

Capture logs and analyze

Monitoring Conditional Access enforcement of token protection before and after enforcement.

 

Sign-in logs

Use Microsoft Entra sign-in log to verify the outcome of a token protection enforcement policy in report only mode or in enabled mode.

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Identity > Monitoring & health > Sign-in logs.
  3. Select a specific request to determine if the policy is applied or not.
  4. Go to the Conditional Access or Report-Only pane depending on its state and select the name of your policy requiring token protection.

Under Session Controls check to see if the policy requirements were satisfied or not.

 

You can refer below link to know more about license requirements, prerequisites & limitations.

Token protection in Microsoft Entra Conditional Access - Microsoft Entra ID | Microsoft Learn

 

Enable compliant network check with Conditional Access

Organizations who use Conditional Access along with the Global Secure Access, can prevent malicious access to Microsoft apps, third-party SaaS apps, and private line-of-business (LoB) apps using multiple conditions to provide defense-in-depth. These conditions might include device compliance, location, and more to provide protection against user identity or token theft. Global Secure Access introduces the concept of a compliant network within Microsoft Entra ID Conditional Access. This compliant network check ensures users connect from a verified network connectivity model for their specific tenant and are compliant with security policies enforced by administrators.

The Global Secure Access Client installed on devices or users behind configured remote networks allows administrators to secure resources behind a compliant network with advanced Conditional Access controls. This compliant network feature makes it easier for administrators to manage access policies, without having to maintain a list of egress IP addresses. This removes the requirement to hairpin traffic through organization's VPN.

 

Compliant network check enforcement

Compliant network enforcement reduces the risk of token theft/replay attacks. Compliant network enforcement happens at the authentication plane (generally available) and at the data plane (preview). Authentication plane enforcement is performed by Microsoft Entra ID at the time of user authentication. If an adversary has stolen a session token and attempts to replay it from a device that is not connected to your organization’s compliant network (for example, requesting an access token with a stolen refresh token), Entra ID will immediately deny the request and further access will be blocked. Data plane enforcement works with services that support Continuous Access Evaluation (CAE) - currently, only SharePoint & Exchange Online. With apps that support CAE, stolen access tokens that are replayed outside your tenant’s compliant network will be rejected by the application in near-real time. Without CAE, a stolen access token will last up to its full lifetime (default 60-90 minutes).

This compliant network check is specific to each tenant.

  • Using this check, you can ensure that other organizations using Microsoft's Global Secure Access services can't access your resources.
    • For example: Contoso can protect their services like Exchange Online and SharePoint Online behind their compliant network check to ensure only Contoso users can access these resources.
    • If another organization like Fabrikam was using a compliant network check, they wouldn't pass Contoso's compliant network check.

The compliant network is different than IPv4, IPv6, or geographic locations you might configure in Microsoft Entra. Administrators are not required to review and maintain compliant network IP addresses/ranges, strengthening the security posture and minimizing the ongoing administrative overhead.

 

Enable Global Secure Access signaling for Conditional Access

To enable the required setting to allow the compliant network check, an administrator must take the following steps.

  1. Sign in to the Microsoft Entra admin center as a Global Secure Access Administrator.
  2. Browse to Global Secure Access > Settings > Session management > Adaptive access.
  3. Select the toggle to Enable CA Signaling for Entra ID (covering all cloud apps). This will automatically enable CAE signaling for Office 365 (preview).
  4. Browse to Protection > Conditional Access > Named locations.

a. Confirm you have a location called All Compliant Network locationswith location type Network Access. Organizations can optionally mark this location as trusted.

You can refer below link to know more about license requirements, prerequisites & limitations

 

Protect your resources behind the compliant network

The compliant network Conditional Access policy can be used to protect your Microsoft and third-party applications. A typical policy will have a 'Block' grant for all network locations except Compliant Network. The following example demonstrates the steps to configure this type of policy:

  1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
  2. Browse to Protection > Conditional Access.
  3. Select Create new policy.
  4. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
  5. Under Assignments, select Users or workload identities.

6. Under Target resources > Include and select All resources (formerly 'All cloud apps').

    • If your organization is enrolling devices into Microsoft Intune, it is recommended to exclude the applications Microsoft Intune Enrollmentand Microsoft Intune from your Conditional Access policy to avoid a circular dependency.

7. Under Network.

    • Set Configureto Yes.
    • Under Include, select Any location.
    • Under Exclude, select the All Compliant Network locationslocation.

8. Under Access controls:

    • Grant, select Block Access, and select Select.

9. Confirm your settings and set Enable policy to On.

10. Select the Create button to create to enable your policy.

 

User exclusions

Conditional Access policies are powerful tools, we recommend excluding the following accounts from your policies:

  • Emergency access or break-glass accounts to prevent lockout due to policy misconfiguration. In the unlikely scenario all administrators are locked out, your emergency-access administrative account can be used to log in and take steps to recover access.
  • Service accounts and Service principals, such as the Microsoft Entra Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications but are also used to sign in to systems for administrative purposes. Calls made by service principals won't be blocked by Conditional Access policies scoped to users. Use Conditional Access for workload identities to define policies targeting service principals.
    • If your organization has these accounts in use in scripts or code, consider replacing them with managed identities.

Try your compliant network policy

  1. On an end-user device with the Global Secure Access client installed and running, browse to https://outlook.office.com/mail/ or https://yourcompanyname.sharepoint.com/, you have access to resources.
  2. Pause the Global Secure Access client by right-clicking the application in the Windows tray and selecting Pause.
  3. Browse to https://outlook.office.com/mail/ or https://yourcompanyname.sharepoint.com/, you're blocked from accessing resources with an error message that says You cannot access this right now.

You can refer below link to know more about license requirements, prerequisites & limitations

Enable compliant network check with Conditional Access - Global Secure Access | Microsoft Learn

Updated Nov 18, 2024
Version 1.0