Investigate use of token protection

[schrolla]

💡 Summary

Review Entra ID token protection feature (currently in preview) as a possible target for a future baseline policy item. Consider if it affects existing policies, augments them, or warrants a new policy.

Motivation and context

Attacks and mitigation techniques continue to evolve. Microsoft has added a new conditional access feature called "Token Protection for Sign-in Sessions" based on token stealing attacks seen in the wild increasing throughout 2023. The project should evolve with available technologies and protections. The purpose of this issue is to perform a hands-on evaluation of this feature and determine if a new Azure AD baseline policy would add value.

Additional details of new token protection feature here:
Entra ID Token Protection for Sign-In Sessions
Token Tactics - How to Prevent, Detect, and Respond to cloud token theft

Implementation notes

Please provide details for implementation, such as:

• Review available documentation on token protection, related attacks, and efficacy
• Test token protection in test tenant against attack scenarios
• Review and analyze results of token protection testing
• Make a recommendation on whether or not token protection warrants inclusion in policy along with a candidate policy changes and associated implementation guidance.

Acceptance criteria

How do we know when this work is done?

• Documentation on token protection, related attacks, and efficacy reviewed
• Token protection successfully tested in tenant against attack scenarios
• Results of token protection testing analyzed for effectiveness
• Policy recommended changes and implementation instructions drafted

[schrolla]

Looks like this is a duplicate of existing issue #339, but since this has additional detail merging into this issue and closing other as duplicate.

[schrolla]

Target for exploration in 2HCY24.

[tkol2022]

@gdasher We have had this issue lingering for a while and I happen to come across a Microsoft article highlighting the new token protection feature on conditional access recently. I just checked the G5 tenant and the ability to configure "Require token protection for sign-in sessions" is available. Microsoft is only supporting Exchange Online and Sharepoint Online right now but since email is a hot attack vector there is still value in configuring the policy. I could see this as a potential new SHOULD policy in a future baseline update. Can you help us prioritize a hands-on exploration of this? Which release do you think this makes sense for?
When the time is right, I can assign someone to conduct an impact analysis to see how the conditional access policy works in practice.

[gdasher]

I suggest we wait a bit more. I strongly support us making this a should policy, but suggest we tackle in the 1H 2025 timeframe.

[schrolla]

@gdasher Relooking at this token protection feature now that we are in 1H 2025. Looking at if we want to prioritize looking into this for potential policy impacts given the recent BOD release.