July 30, 2025
Blog
Howdy folks,
I wanted to share something that comes up in almost every identity security conversation I have — there’s still a lot of confusion when it comes to Microsoft 365 Conditional Access and the different layers of identity protection available.
People often assume that enabling MFA is enough, or that Passkeys automatically protect against token theft. Others believe device compliance covers session hijacking, or that Conditional Access policies alone can enforce Zero Trust. The reality is more nuanced.
The problem isn’t the lack of features — Microsoft has released powerful capabilities over the last couple of years — it’s that each control is designed to solve a very specific problem, and they don’t fully replace one another. If you deploy them without understanding what they actually do (and don’t do), you end up with false confidence and exposed gaps.
This blog breaks it all down:
What each control protects (and what it doesn’t)
Where the overlaps are — and where they clearly aren’t
The trade-offs in deployment, complexity, and user impact
And most importantly: where to start based on the kind of environment you’re working in
The goal isn’t to turn on everything - The goal is to build a protection model that actually matches how your users work, where your risks are, and what you can realistically maintain.
The 4 Controls You Should Know
Microsoft provides four advanced identity/session controls that target different parts of the attack chain:
Passkeys – Prevent phishing with passwordless, device-bound authentication
Compliant Device – Ensure users are only accessing data from secure devices
Token Protection – Prevent attackers from reusing stolen session tokens
CAE Strict – Monitor and revoke sessions based on location/IP anomalies
These controls work best when combined, but each one has specific strengths, gaps, and deployment considerations.
Security Method | What It Solves | Strong For | Weak Against | Considerations |
|---|---|---|---|---|
1. Passkeys (Phishing-Resistant MFA) | Eliminates passwords by using a device-stored private key (e.g., TPM or security key) | - Credential phishing- Push fatigue- MFA fatigue and fake portals | - Token theft after login- Session hijack- Device-based threats | - Requires compatible devices- Needs backup method (e.g., Temporary Access Pass)- Slight learning curve for users |
2. Compliant Devices | Blocks access from untrusted or non-compliant devices using MDM (e.g., Intune) | - Malware-infected or jailbroken devices- Unencrypted laptops- Enforcing BYOD restrictions | - Credential theft- Token replay- Compromised sessions from otherwise compliant devices | - High effort for BYOD environments- Requires device enrollment and policy configuration- Privacy concerns in mixed-use (personal/work) setups |
3. Token Protection | Prevents use of stolen tokens on other devices by cryptographically binding tokens | - Token replay- Session hijack- Post-compromise persistence | - Credential phishing- Poor device hygiene- Limited to native Microsoft 365 apps on Windows | - Transparent to users- Easy to deploy in Entra-joined Windows environments- Not supported on browsers, mobile, or macOS |
4. CAE Strict Location Enforcement | Continuously validates IP/location; revokes sessions on unexpected changes | - VPN-based access control- Proxy or spoofed location detection- Mid-session hijack detection | - Credential theft at sign-in- Token theft within allowed IP range- Device-level threats | - Ineffective with split-tunnel VPNs- Requires known/static egress IPs- Most suitable for fixed-location or VDI-style deployments |
How They Work Together:
No single control covers everything. Each addresses a different part of the identity stack:
Control | Phishing | Bad Devices | Token Replay | Location/IP Hijack |
|---|---|---|---|---|
Passkeys | Yes | No | No | No |
Compliant Device | No | Yes | No | No |
Token Protection | No | No | Yes | Yes |
CAE Strict | No | No | Yes | Yes |
Deployment Trade-offs:
Control | Security Value | User Impact | Deployment Effort |
|---|---|---|---|
Passkeys | High | Medium | Medium |
Compliant Device | High | Medium | High |
Token Protection | Medium | Low | Low |
CAE Strict | Medium | Low | High |
Each control brings value. The key is to combine them in a way that matches your users, infrastructure, and attack surface.
Summary:
These four controls — Passkeys, Compliant Devices, Token Protection, and CAE Strict — aren’t redundant. They’re designed to solve different problems, at different layers of identity protection.
One handles phishing.
Another enforces device trust.
The others protect sessions after login.
If you’re relying on MFA alone or using Conditional Access without understanding the role of each layer, there’s a good chance you’re leaving real gaps — especially around token replay, unmanaged devices, and session hijacking.
Real-World Use Case: CAE Strict + Always-On VPN:
In one of our recent customer deployments, we enabled CAE Strict Location Enforcement in an environment using Always-On VPN with full-tunnel routing (ensuring both authentication and Microsoft 365 services route through the same corporate egress IPs).
The goal: block any attempt to replay stolen tokens — even from valid, successful sign-ins — across Microsoft Graph-connected apps.
Because all traffic exits through known, static IPs, CAE was able to continuously validate the session location in real time. If a token was replayed from an unexpected IP — even with a valid refresh token — access was immediately revoked, without waiting for the next interactive sign-in.
Without CAE Strict, Conditional Access evaluates location only at the time of sign-in. After that, a stolen token can still be replayed for up to an hour — or up to 28 hours in some cases where the app is CAE-aware but doesn’t use strict enforcement. During that time, the attacker can use Microsoft Graph, SharePoint, Teams, or other SSOed services from a geography or IP that would normally be blocked by policy.
With CAE Strict, that gap is closed. Access is continuously enforced at the resource level, and any IP anomaly results in immediate session revocation.
For customers with full-tunnel VPN and fixed egress points, CAE Strict delivers real value — especially in environments concerned with API misuse, token theft, and lateral movement via session replay.
What actually matters is clarity:
Knowing what each control is built to protect
Deciding where to begin based on your users, devices, and risk model
Being smart about user experience, deployment overhead, and licensing limits
You don’t need to roll everything out at once. But you do need a plan that’s built on the right foundations — not assumptions.
At Griffin31, we’ve mapped all four controls into the platform. We can tell you exactly which ones are already working in your tenant, where the gaps are, and what the right next step looks like — based on your actual usage, role types, and environment.