Is it possible to protect the Primary Refresh Token (PRT) if attacker has hands on keyboard

Hi RippieUK,

You mention that the admins must request elevated roles via PIM. These PIM requests should be reviewed and confirmed by someone on the IT team before allowing the elevation and approval of the PIM request. Even roles where the default is self-service you can go in and edit to Require Approval.

The main security feature you might be interested in considering you mentioned pass-the-prt specifically is (currently in preview) CAP - Token Protection aka device binding. This ensures that the token in use is coming from the device it’s meant to be coming from. Furthermore, you could play around with the CAPs targeting these devices and users and adding Session controls such as a short SIF: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-session-lifetime#user-sign-in-frequency-and-device-identities .

This GitHub repo is a great read and goes into detail about several different token attack types and highlights where the attacks could fail or expose the malicious behavior: Cloud Architekt - Azure Attack-Defense 

It sounds like you’re already implementing MFA Strength Factors and forcing phish-proof which is awesome. Make sure you’ve also disabled SSPR for admins.

Also want to confirm, these admins have a separate account to perform admin tasks in Entra from their on-prem admin accounts and ensure the Entra admin accounts only exist in the cloud and don’t touch your on-prem directory.

Best regards,

Dylan