A centralized identity provider is particularly useful for applications with global users who do not always sign in from the enterprise’s network. The Microsoft identity platform verifies the authenticity of users and provides security tokens, such as access tokens, refresh tokens, and ID tokens. Using security tokens, a client application can access protected server resources.
Access Token – An access token is a security token issued by an authorization server as part of an OAuth 2.0 flow. It includes user and resource information. The data can be used to gain access to web APIs and other restricted resources. The validation of access tokens to permit a client application access to a resource. See Access tokens in the Microsoft identity platform for more information.
Refresh token – Because access tokens are only effective for a limited time, authorization servers may issue a refresh token concurrently with the access token. When necessary, the client application can exchange this refresh token for a new access token. See Refresh tokens in the Microsoft identity platform for more information.
ID token – ID tokens are sent to the client application as part of an OpenID Connect flow. They may be sent in addition to or in place of an access token. The client uses ID tokens to authenticate the user. To learn more about how ID tokens are issued by the Microsoft identity platform, visit ID tokens in the Microsoft identity platform.
Token Protection is a critical part of cybersecurity as it needs to be ensured that tokens can only be used on the intended device. When enforced through Conditional Access policies, tokens authorizing access to resources must come from the device where the user originally signed in. This provides the best available protection for your high-value users and data against breaches involving token theft
Token protection reduces an attack surface by binding a token to a device and preventing “replay attacks” in which a malicious actor steals a token and gains unauthorized access without requiring additional authentication methods.
Microsoft has released a new Conditional Access Policy so that businesses can begin protecting themselves against these attack methods; however, it is presently in preview and lacks full functionality.
This functionality may target users who perform specialized duties such as those described in Privileged access security levels.
.
By selecting “Require token protection for sign-in sessions” under Conditional Access Session Controls, sessions used to access resources defined in the scope of the policy will be required to be bound to the device the user signed in to using proof-of-possession. Proof-of-possession requires that the client can show it has access to a private key on the device. If access is attempted using a Refresh Token stolen from a user’s device and moved to a device an attacker controls, the proof-of-possession can’t be accomplished, and access will be blocked by the policy.
