Hey everyone, I need some help reflecting on a mistake I made while trying to improve our security setup. I tried to enable token protection CA policies for accounts in my control, including my own—definitely learned that lesson the hard way!
I set a policy that required re-authentication with MFA every seven days for Office 365 and AAD Admin portals and added token protection. Then, I had another policy for other cloud apps that required a shorter session with the same re-authentication + MFA rules.
The problem popped up when I included support for IOS, Windows, MacOS, and all login methods in my Token Protection policy. After enabling it, our Edge profiles were completely locked out, forcing us to sign in repeatedly without success, and we couldn't access any web apps. However, apps like Authenticator, Teams, and Outlook on mobile worked just fine, but we had to re-enroll those.
After even removing and setting up my Edge profile again, the same authentication loop persisted. I had to call in another team that wasn't affected by these policies to undo my changes just to get everything back to normal.
I have a feeling I missed something crucial, perhaps about needing to enroll our PCs in Entra ID or Intune, since they're only joined to a local domain with standard AAD sync. I'm planning to re-read the Token Protection docs to find what I might have missed. Has anyone here dealt with similar issues? I'd appreciate any guidance! Thanks in advance!
2 Answers
You’re right about the docs! They specify that token protection mainly supports joined Windows devices, and currently only SharePoint and Exchange Online. It's crucial to exclude your admin accounts too, since they typically shouldn't be logging into those apps regularly. Also, be careful with browsers that don’t disclose your device status, like Brave or incognito tabs in Edge. Always test changes on a small group first before going big!
Reading the documentation thoroughly would have definitely saved you the trouble! Remember that for Windows 10 or later, devices need to be Microsoft Entra joined, hybrid joined, or registered. I made a similar mistake and just skimmed through the docs. Sharing my experience here to help others learn from my headache!
Yeah, I got a bit overconfident. We had a few minor security issues recently, so I thought token protection would help balance security and ease for my team. I usually make big changes successfully, so this was a wake-up call. I'll definitely be more cautious next time!