April 16, 2025
Blog
Introduction:
Building upon our previous discussion on token fundamentals, this article delves into advanced strategies to enhance token security in Microsoft Entra ID. We’ll focus on implementing Continuous Access Evaluation (CAE) in Strict Mode and extending CAE to workload identities. Each remediation step includes the required licensing information to assist in planning and implementation.
TL;DR:
Protecting tokens in Microsoft Entra ID requires proactive and technical measures:
Enforce Conditional Access policies that restrict sessions based on risk.
Implement Continuous Access Evaluation (CAE) in Strict Mode for real-time session revocation.
Extend CAE protections to workload identities (service principals).
Harden endpoints using Microsoft Defender for Endpoint and enforce compliance via Intune.
Use Token Binding to prevent replay attacks by tying tokens to devices.
Monitor risky workload identities and automate remediation.
Licensing at a glance:
Conditional Access ➔ Microsoft Entra ID P1
Risk-based CA policies, CAE, Token Protection ➔ Microsoft Entra ID P2
Defender for Endpoint & Intune ➔ Separate Defender for Endpoint Plan 1/2 and Intune Plan 1 licenses
Each step dramatically reduces the risk of token theft, session hijacking, and unauthorized access.
1. Enforce Conditional Access Token Protection Policies
Objective: Configure Conditional Access (CA) policies to enforce token protection, ensuring that tokens are bound to compliant devices and sessions are revoked upon risk detection.
Implementation Steps:
Create Conditional Access Policies:
Navigate to the Microsoft Entra admin center.
Go to Entra ID > Conditional Access > Policies.
Click on New policy and define the policy name.
Under Assignments, select the users or groups to include.
Under Cloud apps or actions, select the applications to apply the policy to.
Under Conditions, configure sign-in risk, device platforms, and locations as needed.
Under Access controls, choose Grant and select Require compliant device and/or Require Hybrid Azure AD joined device.
Enable the policy.
Licensing Requirement: Microsoft Entra ID P1 is required for Conditional Access. For risk-based policies, Microsoft Entra ID P2 is necessary.
2. Implement Continuous Access Evaluation (CAE) in Strict Mode
Objective: Utilize CAE in Strict Mode to enforce real-time session revocation when a user’s IP address changes to an untrusted location.
Implementation Steps:
Configure CAE in Strict Mode:
In the Microsoft Entra admin center, go to Entra ID > Conditional Access > Named locations.
Define trusted locations by specifying IP ranges.
Create a Conditional Access policy targeting all users and cloud apps.
Under Conditions, set Locations to include all locations and exclude the trusted locations.
Under Access controls, select Block access.
Enable Strict enforcement under the Session controls.
Licensing Requirement: Microsoft Entra ID P1 is required for Conditional Access.
3. Extend CAE to Workload Identities
Objective: Apply CAE to workload identities (service principals) to ensure real-time enforcement of access policies and token revocation.
Implementation Steps:
Enable CAE for Workload Identities:
Ensure that the application is registered in Microsoft Entra ID and is a single-tenant application.
Modify the application code to request the xms_cc claim with a value of cp1 in the access token request.
Configure Conditional Access policies targeting the service principal, setting conditions based on location and risk.
Monitor sign-in logs to verify CAE enforcement for workload identities.
Licensing Requirement: Microsoft Entra ID P1 is required for Conditional Access. For risk-based policies, Microsoft Entra ID P2 is necessary.
4. Harden Devices Against Token Theft
Objective: Strengthen endpoint security to prevent token theft and replay attacks.
Implementation Steps:
Deploy Microsoft Defender for Endpoint:
Ensure all devices are onboarded to Microsoft Defender for Endpoint.
Enable real-time protection, cloud-delivered protection, and tamper protection.
Configure attack surface reduction rules to prevent credential theft.
Implement Intune Compliance Policies:
Define compliance policies that require devices to have Microsoft Defender for Endpoint enabled and healthy.
Use Conditional Access to restrict access to compliant devices only.
Licensing Requirement: Microsoft Defender for Endpoint Plan 1 or Plan 2 and Microsoft Intune Plan 1 are required.
5. Utilize Token Binding
Objective: Bind tokens to specific devices to prevent token replay on unauthorized devices.
Implementation Steps:
Enable Token Protection:
In the Microsoft Entra admin center, go to Entra ID > Conditional Access > Policies.
Create a new policy targeting users and applications.
Under Session, enable Token protection.
Configure the policy to require token binding to the device.
Licensing Requirement: Microsoft Entra ID P2 is required for token protection features.
6. Monitor and Respond to Risky Workload Identities
Objective: Detect and remediate compromised workload identities using Microsoft Entra ID Protection.
Implementation Steps:
Enable Microsoft Entra ID Protection:
In the Microsoft Entra admin center, go to Entra ID Protection > Risky workload identities.
Review detected risks and configure automated responses, such as disabling the service principal or requiring reauthentication.
Set up alerts and notifications for high-risk detections.
Licensing Requirement: Microsoft Entra ID P2 is required for risk-based Conditional Access and access to detailed risk reports.
Conclusion
Implementing these advanced strategies enhances the security posture of your organization by ensuring that tokens are protected against theft and misuse. By leveraging features like CAE in Strict Mode and extending protections to workload identities, you can enforce real-time access controls and reduce the risk of unauthorized access.
For further guidance and support, consider consulting with your Microsoft account representative or a certified Microsoft partner to tailor these implementations to your organization’s specific needs.