Hey everyone! I'm trying to get my head around Token Protection in Entra ID. We've had it enabled for all compatible applications for a few months now, but this has led to some BYOD users needing to enroll their personal devices since the policy requires that devices be Entra Joined, Hybrid Joined, or Workplace Joined. My dilemma is whether we should include a device filter to exclude unmanaged or personal devices from this token protection policy. Would that defeat the purpose of having token protection in the first place?
3 Answers
I'd say to definitely exclude BYOD from the policy. Token protection should focus on corporate-managed devices only. This way, you still address about 90% of the token-replay risks by managing your fleet while avoiding the backlash of forcing personal devices into MDM. Remember, if security can't be properly managed by IT, you're just inviting shadow IT to take over.
I recommend excluding BYOD as well. Instead, consider giving them web-only conditional access. This approach still helps mitigate replay attacks while avoiding unnecessary issues like phone support for iPhones.
Excluding unmanaged devices seems counterproductive. The main goal of token protection is to prevent hijacked and exported tokens from being used elsewhere. The next step in security is token device binding, which stops this extraction altogether. If you haven't enforced device compliance yet, only allowing managed devices means you shouldn't even be at this point. Plus, support for apps is somewhat limited, so it's not that big of a deal anyway.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures