Token Protection in Entra Conditional Access for Windows App

By /

Listen to this Post

Featured Image
Microsoft has expanded Token Protection in Entra Conditional Access to now support the Windows App, enhancing security for Azure Virtual Desktop (AVD) and Windows 365. This update allows organizations to enforce stricter authentication controls, reducing the risk of unauthorized access through token theft.

🔗 Reference: Microsoft Learn – Token Protection

You Should Know: Implementing Token Protection in Entra ID

1. Enable Token Protection in Conditional Access

To enforce token protection for AVD and Windows 365, configure a Conditional Access Policy in Microsoft Entra ID:

PowerShell Command to Check Token Protection Status

Get-MgIdentityConditionalAccessPolicy | Where-Object { $_.DisplayName -eq "Token Protection Policy" } | Select-Object State, GrantControls

Azure CLI Command

az rest --method GET --url 'https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies' --headers 'Content-Type=application/json'

2. Enforce Token Protection for Windows App

  • Navigate to Microsoft Entra Admin Center → Security → Conditional Access → New Policy.
  • Under Cloud apps or actions, select Windows App.
  • Under Conditions, set Device platforms to Windows.
  • Under Grant, enable Require token protection.

PowerShell to Apply Policy

New-MgIdentityConditionalAccessPolicy -DisplayName "Token Protection for Windows App" -State "enabled" -GrantControls @{ "Operator" = "OR"; "BuiltInControls" = @("tokenProtection") }

3. Verify Token Protection in AVD Sessions

Check token protection logs in Azure Monitor:

SigninLogs 
| where AppDisplayName == "Windows App" 
| where ConditionalAccessPolicies has "tokenProtection" 
| project TimeGenerated, UserPrincipalName, ConditionalAccessStatus

4. Secure Azure Virtual Desktop (AVD) with Intune

Deploy Intune Compliance Policies to ensure devices meet security requirements before accessing AVD:

New-IntuneDeviceCompliancePolicy -Name "AVD Token Protection Compliance" -Description "Ensures token protection is enforced" -DeviceThreatProtectionRequiredSecurityLevel "secured"

What Undercode Say

Token protection in Entra Conditional Access is a game-changer for securing Azure Virtual Desktop and Windows 365, especially in BYOD (Bring Your Own Device) scenarios. By enforcing token protection, organizations mitigate risks like session hijacking and credential theft.

Key Linux & Windows Commands for Enhanced Security

  • Check Active Tokens (Linux): 
    sudo journalctl -u entra-token-service --no-pager -n 50

  • Revoke Suspicious Sessions (Windows): 

    Revoke-AzureADUserAllRefreshToken -ObjectId (Get-AzureADUser -SearchString "[email protected]").ObjectId

  • Monitor Entra ID Logs (Azure CLI): 

    az monitor activity-log list --resource-provider "Microsoft.AAD" --query "[].{Operation:operationName.localizedValue, Status:status.localizedValue}"

  • Force Reauthentication (Linux AVD Client): 

    remmina -k

This update ensures zero-trust security by validating tokens before granting access. Organizations should immediately adopt this feature to prevent lateral movement attacks in cloud environments.

Expected Output:

  • Token Protection now secures Windows App for AVD & Windows 365.
  • PowerShell & CLI commands for policy enforcement.
  • Log verification via Azure Monitor & Intune.
  • Linux & Windows commands for enhanced session security.

🔗 Further Reading:

References:

Reported By: Jan Bakker – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: