Phishing attacks are evolving fast. Today, attackers don’t just steal passwords—they steal session tokens, enabling them to bypass MFA and impersonate legitimate users. This silent breach can last for days, giving hackers access to email, files, and collaboration tools. The solution? Token Protection in Microsoft Entra Conditional Access, a Microsoft 365 feature designed to stop token replay attacks before they happen.

Why Token Theft Is a Growing Threat

According to Microsoft, adversary-in-the-middle (AiTM) phishing attacks have surged by 146% in the past year. These attacks capture session tokens during sign-in and replay them from another device, bypassing MFA and security controls. Even organizations with strong password policies and MFA remain vulnerable without additional safeguards.

What Is Token Protection in Microsoft Entra Conditional Access?

Token Protection cryptographically binds tokens to the device they were issued on. If a stolen token is replayed from another device, it becomes invalid. This feature is enforced through Conditional Access policies, adding a critical layer of defense against phishing and malware-based attacks.

Key benefits include:

• Device-bound tokens: Stops token replay attacks cold.

• Seamless integration: Works with existing Conditional Access policies.

• Coverage for Microsoft 365 apps: Protects Outlook, Teams, SharePoint, and more.

How to Enable Token Protection

Implementing Token Protection is straightforward:

1. Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.

2. Browse to Protection > Conditional Access > Policies.

3. Select New policy.

4. Name your policy. We recommend creating a meaningful naming standard for policies.

5. Under Assignments, select Users or workload identities:

   • Under Include, select the users or groups who are testing this policy.

   • Under Exclude, select Users and groups and choose your organization's emergency access or break-glass accounts.

6. Under Target resources > Resources (formerly cloud apps) > Include > Select resources

   1. Under Select, select the following applications:

      1. Office 365 Exchange Online

      2. Office 365 SharePoint Online

      3. Microsoft Teams Services

      4. If you deployed Windows App in your environment, include:

         1. Azure Virtual Desktop

         2. Windows 365

         3. Windows Cloud Login

   2. Choose Select.

7. Under Conditions:

   • Device platforms:

     • Set Configure to Yes.

     • Include > Select device platforms > Windows.

     • Select Done.

   • Client apps:

     • Set Configure to Yes.

     • Under Modern authentication clients, only select Mobile apps and desktop clients. Leave other items unchecked.

     • Select Done.

8. Under Access controls > Session, select Require token protection for sign-in sessions and select Select.

9. Confirm your settings and set Enable policy to Report-only.

10. Select Create to enable your policy.

After administrators confirm the settings using report-only mode, they can move the Enable policy toggle from Report-only to On.

Part of a Broader Strategy

Token Protection is a part of Microsoft’s comprehensive identity security strategy. Combined with:

• Phishing-resistant MFA

• Device compliance policies

• Compliant network checks via Global Secure Access

you create a multi-layered defense against modern threats.

Final Thoughts

Phishing attacks aren’t slowing down, but token theft doesn’t have to be your next breach. By enabling Token Protection in Microsoft Entra Conditional Access, you’re taking a proactive step to secure your Microsoft 365 environment against advanced identity threats.

Ready to protect your organization? Contact us today to implement Token Protection and strengthen your security posture.