At the recent Microsoft Secure event, we announced a new feature called Token Protection for sign-in sessions. This is the first in a series of Microsoft Entra features designed to combat token theft...
Updated Sep 30, 2024
Version 2.0
Blog Post
Hi there, implemented this into our environment and testing the feature among the IT team. Having a similar issue as Tom-irp except we are testing devices not joined to InTune's access. We'd like to implement the token protection policy, but still allow users signing in from non AAD joined/InTune enrolled devices to log into their M365 apps, as there are still some users in our org here and there using devices not joined to InTune.
I spun up a VM and tested the functionality, and while I can log on fine in the browser, I get rejected and am told to enroll the device when logging in via an app (Outlook, Teams, Word, etc).
We don't want to block access for some users that may be using devices not joined to our AD, but we still would like to implement this policy organization-wide. Is this expected behaviour or is this a public preview thing that will get resolved with time?
I understand that the token protection policy uses the identity of the AAD joined device to prevent sign ins from any other device not matching the identity of that device. Does that limit access to only AAD joined devices and blocks non AAD joined devices outright?
Thanks in advance!