Welcome to our two-part blog series on Microsoft’s new email security enhancement now included in Office 365 P1 licenses: session token protection.
In Part 1, we’ll explain what session token theft is, why it’s a growing threat, and how organizations can protect against it. We’ll also highlight Microsoft’s significant move to include this feature in P1 licenses—previously reserved for E5 and Entra ID P2 users.
Then in Part 2 (coming in two weeks), we’ll shift focus to practical implementation tips for MSPs, showing how to roll out this critical security feature across clients using standard processes.
1. What Is Token Session Theft, and Why Has It Skyrocketed?
Token session theft, also known as token theft or session hijacking, occurs when attackers steal session tokens from authenticated users (often via phishing or malware) and use them to impersonate the users, bypassing authentication controls like passwords and MFA.
Why It’s Gaining Popularity
MFA doesn’t help: Once a valid token is captured, MFA becomes moot, attackers replay the stolen token to access services without further authentication.
Rapid growth in vector usage: Microsoft reports a 111% increase in token theft attacks year-over-year, with ~147,000 incidents in one year.
Sophisticated phishing and malware campaigns: Attackers are using tools like Evilginx to proxy login sessions, extract credentials and tokens, and perform credential replay, even when MFA is enabled.
2. What Is Token Protection, and How Does It Work?
Token Protection, sometimes called token binding, is a Conditional Access (CA) feature in Microsoft Entra ID that cryptographically ties session tokens (like PRTs or refresh tokens) to the specific device where they were issued. The result: even if a token is stolen, it can only be used on the original device.
Key Requirements and Mechanisms:
Device binding: Tokens are bound to devices that are Microsoft Entra joined/hybrid joined/registered running Windows 10 or newer.
Supported platforms/apps (in preview): Exchange Online, SharePoint Online, OneDrive sync, Teams desktop client, Power BI, Microsoft Graph PowerShell, Visual Studio 2022 with WAM broker, Windows App, etc.
Conditional Access Policy Setup:
Target Windows devices only
Select client apps: Mobile and desktop clients
Under Session controls, enable “Require token protection for sign‑in sessions”
Deployment best practices:
Start in report-only mode to monitor compatibility
Pilot with small groups
Use sign-in logs and policy impact tools to review binding status before enforcing
Other Defense Layers:
Device hardening: Requiring managed/compliant devices via Intune + Defender for Endpoint, enabling Credential Guard, tamper protection, malware prevention to minimize initial token theft risk
Conditional Access rules:
Risk-based sign-in policies (via Entra ID Protection) to block or revoke access based on abnormal behavior or MFA bypass attempts
Network-based controls such as Global Secure Access (compliant network enforcement) or IP anchoring to prevent token replay from unauthorized locations
Continuous Access Evaluation (CAE): Real‑time session revocation upon detection of suspicious activity like impossible travel or new IP access
3. Microsoft Licensing Tiers That Support These Protections
Entra ID P1 (Microsoft 365 Business Premium, M365 E3, or standalone P1)
Required for Conditional Access token protection feature in preview.
Enables device-bound token enforcement via Conditional Access policies
Included with Microsoft 365 Business Premium and Microsoft 365 E3 as baseline
Entra ID P2 or Entra Suite
Includes Entra ID Protection, which is separate from token protection.
Enables advanced risk-based identity protection: risk‑based access policies, detection, investigation, and remediation capabilities like sign‑in risk and user risk policies
Entra Suite bundles P2 along with network access and identity governance tools (starting ~$12/user/month)
License Tier
Token Protection (CA)
Risk-Based Access (ID Protection)
Entra ID P1 (incl. M365 E3 / SMB Business Premium)
✅ Yes (preview, device‑bound)
❌ No
Entra ID P2 / Entra Suite
✅ Yes
✅ Yes
4. Video Summary: Exploring Microsoft’s Token Protection FeatureThis video covers:
What tokens are and how they can be stolen
Demonstrations of phishing and malware-based token theft
How Token Protection binds tokens to device
Step-by-step Conditional Access setup for Exchange and SharePoint access on Windows
Complementary measures like Defender, Intune compliance, risk-based policies, CAE, and compliant network controls
5. Why Implementing These Protections Matters
Stops token replay attacks: Even if malware extracts PRTs or refresh tokens, they can’t be replayed on a different device.
Neutralizes MFA bypass tactics: Attackers can’t re-challenge for MFA once token is stolen, but token binding restores control.
Compliance enforcement: Only approved devices and client apps can access sensitive resources.
Improved incident detection: Risk-based policies and CAE provide real-time responses to unusual activity.
Low licensing cost for high impact: Entra ID P1 at ~$6/user/month adds a significant new layer of defense.
Final Takeaway
Token-based attacks have grown rapidly because they bypass traditional MFA and steal access entirely. Microsoft’s Token Protection (included with Entra ID P1) securely ties tokens to devices via Conditional Access, blocking token reuse on unauthorized machines. For full identity risk detection and automated remediation, upgrading to Entra ID P2 or the Entra Suite brings in identity protection, CAE, and deeper risk policies. Together, these layered defenses dramatically reduce Business Email Compromise (BEC) and token replay threats.
Stay Tuned
In two weeks, we’ll publish Part 2 of this series, where we dive into implementation advice for MSPs. We’ll walk through how to configure Token Protection in Entra ID P1, what pitfalls to avoid, and how to make this a standard part of your client security stack. Don’t miss it, this is where policy meets practice.
