Forum Discussion
Device Bound Session Credentials Edge
Hi everyone,
For a customer i did some research about token protection within M365. I did find a lot information what to configure within M365 to get a multi layer protection (CA, Identity Protection, device compliance, etc).
What i didn't found was a solution for token/cookie protection from the browser, until i found this article:
https://en.ittrip.xyz/windows/edge/edge-147-device-bound#index_id0
This article states that edge 147 supports Device Bound Session Credentials which makes it much harder to do a off-device replay of a cookie.
It also is saying:
If you buy rather than build, ask your identity provider or SaaS vendor a direct question: do you have a roadmap for Device Bound Session Credentials or an equivalent browser-session binding model?
So my question is: Does M365 (via the browser) supports Device Bound Session Credentials or will it be supported any time soon?
Hope you have a nice day!
Regards,
MJ
1 Reply
It does not currently support Device Bound Session Credentials (DBSC) in browser sessions. While Microsoft Edge (from version 145 onward, with Edge 147 stabilizing the feature) implements DBSC as a web platform capability, M365 services like Outlook, Teams, and SharePoint Online have not announced adoption of DBSC for cookie/session binding. The supported path for token protection in M365 remains Entra ID device-bound tokens via the Web Account Manager (WAM) and Conditional Access policies, learn.microsoft.com/en-us/entra/msal/javascript/browser/device-bound-tokens