Why Conditional Access: Token protection is needed?

@Farhad Huseynov Thank you for reaching out to us, As I understand you are looking for information on Conditional Access: Token protection.

Token Protection is a new Conditional Access option that guarantees that the user accessing a resource is the one that signed into a registered device by preventing the use of session artifacts that aren't bound to that device.

Identity platforms use bearer tokens to represent their user sessions, and sessions they authorize for web resources. Bearer tokens are protected by controlling access to devices and by secure channels on the network. However, they have the characteristic that if the device or network are compromised, they can be exfiltrated by an attacker, and the attacker can use the token from a device they control to gain access to resources as the signed in user.

With this new feature, Token Protection cryptographically binds a token to a device secret. Without the secret, the bound token cannot be used. The technique of using device secrets to tie tokens to the device to which they were issued is called Proof of possession (PoP).

More detailed information is documented here - https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-token-protection

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.