Microsoft Entra ID’s Conditional Access token protection enhances security by ensuring only trusted devices and applications can access sensitive resources. However, certain devices and applications do not support this feature, leading to potential access blocks. Below is a detailed breakdown of unsupported scenarios.
Unsupported Applications
- Office perpetual clients (non-subscription versions)
- PowerShell modules accessing SharePoint
- PowerQuery extension for Excel
- Visual Studio Code extensions accessing Exchange or SharePoint
Unsupported Windows Devices
- Surface Hub
- Windows-based Microsoft Teams Rooms (MTR) systems
- Microsoft Entra joined Azure Virtual Desktop session hosts
- Bulk-enrolled Windows devices
- Windows 365 Cloud PCs (Microsoft Entra joined)
- Power Automate hosted machine groups (Microsoft Entra joined)
- Windows Autopilot (self-deploying mode)
- Azure VMs with Microsoft Entra authentication via VM extension
- Legacy Windows devices (pre-24H2) requiring re-registration
Microsoft Entra Conditional Access token protection explained
You Should Know:
How to Check Device Compliance in Microsoft Entra ID
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'windows'"
Blocking Legacy Authentication via Conditional Access
New-MgIdentityConditionalAccessPolicy -DisplayName "Block Legacy Auth" -State "enabled" -Conditions @{
ClientAppTypes = @("exchangeActiveSync", "other")
} -GrantControls @{
Operator = "OR"
BuiltInControls = @("block")
}
Forcing Re-Registration for Windows Devices
Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/devices/{deviceId}/reRegister"
Auditing Unsupported Token Flows
SigninLogs | where TokenIssuerType == "AzureAD" | where Status.errorCode == "53003" | project TimeGenerated, AppDisplayName, DeviceDetail
Enforcing MFA for High-Risk Sessions
New-MgIdentityConditionalAccessPolicy -DisplayName "MFA for Risky Sign-ins" -Conditions @{
RiskLevels = @("high")
} -GrantControls @{
BuiltInControls = @("mfa")
}
What Undercode Say:
Microsoft Entra’s token protection is a critical security layer, but legacy systems and niche applications often fall outside its coverage. Organizations must:
– Audit unsupported devices using `Get-MgDevice`
– Migrate from perpetual Office to Microsoft 365
– Monitor sign-in logs for `53003` errors
– Enforce MFA where token binding isn’t possible
– Automate device compliance checks with PowerShell
For hybrid environments, consider Azure AD Connect Health to track device sync issues:
az connectedmachine list --query "[?osName=='Windows']"
Expected Output:
[
{
"name": "WIN-ENTRA-DEVICE",
"osName": "Windows",
"complianceState": "NonCompliant"
}
]
Prediction
As Microsoft phases out legacy auth, expect tighter integration between Windows 24H2+ and Entra ID, with automatic token binding for all enrolled devices. Unsupported apps (e.g., PowerQuery) may require API-based workarounds.
Expected Output:
2025 Roadmap: Microsoft Entra will enforce token binding universally, deprecating bypass methods for bulk-enrolled devices.
References:
Reported By: Francescofaenzi Microsoft – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
