Back To All Updates

Back To All Updates

April 16, 2025

Blog

Understanding and Managing Tokens in Microsoft Entra ID – Part 1

Understanding and Managing Tokens in Microsoft Entra ID – Part 1

Introduction:

In today’s cloud-based identity environments, understanding how authentication Tokens work — and managing them properly — is critical for maintaining strong security and implementing Zero Trust principles.

Microsoft Entra ID uses several types of Tokens to grant secure, seamless access across systems.

In this article, we’ll explore what these Tokens are, how they function, common pitfalls, and practical steps to handle them securely.

What are Tokens in Microsoft Entra ID?

 Tokens are digital artifacts issued after a successful authentication that allow a user or device to access protected resources without repeatedly submitting credentials.

There are three primary types:

  • Access Token

Used to authorize access to APIs like Microsoft Graph, SharePoint Online, and other services.

Typically valid for 1 hour by default.

Technical note:

  • Short-lived and contains claims like user ID, roles, scopes.

  • Audience (aud) claim defines the resource it grants access to.

  • Refresh Token

Allows the client to obtain a new Access Token without user interaction.

  • By default, Refresh Tokens have an expiration window of 90 days but can be invalidated earlier.

  • Refresh Tokens should be properly rotated and their usage monitored.

  • ID Token

Primarily used by applications to validate the user’s identity after sign-in.

  • Contains information like username, email, and authentication method.

  • Not designed to be used for API access.


Known Challenges and Risks with Tokens

Even with strong identity protections, tokens themselves introduce some risks if not properly managed:

  • Token theft

Attackers can steal tokens through malware, session hijacking, phishing attacks, or browser vulnerabilities.

  • Token replay

A stolen token could be used to access protected resources without needing to re-authenticate.

  • Refresh token abuse

If a Refresh Token is compromised, it can be used to persist access for long periods, bypassing normal session expiry.

  • Lack of revocation mechanisms

Tokens are often valid until expiration unless active revocation mechanisms (like CAE) are enforced.


Best Practices for Managing Tokens

To securely manage Tokens, organizations should implement the following practices:

  • Configure Conditional Access (CA) token policies:

Require re-authentication or token refresh when critical risk signals occur (e.g., location changes, risk detections).

  • Use Phish-Resistant Authentication:

Implement strong methods like FIDO2 security keys or Certificate-Based Authentication (CBA) to minimize the chance of token theft.

  • Enable Continuous Access Evaluation (CAE):

CAE allows revoking tokens in near real-time based on risk events such as account disablement, password changes, or session revocations.

  • Token Lifetime Management:

Review and adjust token lifetime settings.

For sensitive applications or privileged roles:

  • Set shorter Access Token lifetimes (e.g., 30 minutes).

  • Use Refresh Token max inactivity and absolute lifetimes carefully.

  • Device and Session Management:

Prefer issuing tokens only to compliant, managed devices via Conditional Access.

Monitor device health and enforce reauthentication when compliance changes.


Practical Example: Secure Token Policies Configuration

Access Token Lifetime Policy (example):

New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:30:00"}}') `
                  -DisplayName "AccessToken30MinPolicy" `
                  -IsOrganizationDefault $false `
                  -Type "TokenLifetimePolicy"

Enabling Continuous Access Evaluation:

  • CAE is enabled by default for tenants created after January 2022.

  • For existing tenants:

Review Conditional Access policies and include cloud apps that support CAE (e.g., Exchange Online, SharePoint Online, Teams).

Phish-Resistant MFA Setup:

  • Enforce MFA registration using authentication strength policies.

  • Restrict MFA to methods classified as phishing-resistant (e.g., FIDO2, Windows Hello for Business).


Summary

Understanding the fundamentals of how Access, Refresh, and ID Tokens work is the first step toward building a resilient, token-secure environment.

Mismanaged tokens can easily become an attacker’s way into your organization — but by applying best practices like Conditional Access, CAE, strong authentication, and close lifetime management, you can significantly reduce this risk.

In the next article (Part 2), we’ll dive deeper into advanced protection methods and implementation strategies to further harden your token security.

For more details on token fundamentals:

https://learn.microsoft.com/en-us/entra/identity/devices/concept-tokens-microsoft-entra-id