I'm trying to figure out the best approach regarding Token Protection in Entra ID, which we've had enabled for all supported applications for several months now. For it to function properly, devices need to be Entra Joined, Hybrid Joined, or Workplace Joined. We've rolled out the token protection policy to all users, which has led to some BYOD (Bring Your Own Device) users having to enroll their personal devices. My question is: Should we implement a device filter to exclude unmanaged or personal devices from the token protection policy? Or would doing so undermine the purpose of token protection?
1 Answer
Excluding unmanaged devices kind of defeats the point of token protection. The whole idea is that compliant tokens might be hijacked or exported. Token device binding is the next step, preventing tokens from being extracted and misused elsewhere. Ideally, you should enforce device compliance first so that only managed devices can access your environment. Just to note, the apps that support this are pretty limited, so it might not impact you much at this stage. Just keep that in mind!
Appreciate the insight! But I'm not quite clear on how device compliance ties into this. Can you elaborate on why it's crucial to enforce compliance before implementing token protection?