Inquiry Regarding Token Protection for Mobile Apps Using Azure OAuth

Roaa Abdullah A Alghamdi 0 Reputation points
2024-10-08T22:08:52.38+00:00

We're currently working on a mobile application (both iOS and Android) and web that uses (SSO) with OAuth through Azure AD. The application generates access tokens from Azure, which are then used to make API requests to our server to retrieve employee data.

We want to ensure the highest level of security for these tokens to prevent token theft. Specifically, we need to ensure that if someone manages to steal an access token, they cannot reuse it from a different device. In other words, we want to ensure that the access token is usable only from the device on which it was originally generated.

Question: Will the Token Protection feature in Azure Conditional Access help resolve this issue? Can it enforce that tokens generated by Azure AD OAuth are bound to the device that generated them and cannot be reused on other devices?

Additional Details:

  • The employees will log in from their personal devices, which are not registered in our company domain.
  • We want to understand how to apply this feature to non-domain-joined mobile devices (iOS and Android) and prevent token misuse in the event of token theft.

Please let us know if the Token Protection feature is suitable for this scenario, or if there are alternative solutions to ensure that tokens are usable only by the original device.

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
7,153 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,137 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Akhilesh Vallamkonda 10,320 Reputation points Microsoft Vendor
    2024-10-14T16:52:55.0233333+00:00

    Hi @Roaa Abdullah A Alghamdi

    Thank you for reaching Microsoft Q&A Forum!

    I understand that you would like to know about Conditional Access: Token protection feature for your mobile app.

    The token protection for sign-in tokens in Conditional Access that this feature is currently in preview and has some limitations.
    As of now the Token Protection feature in Conditional Access policy, is primarily designed for desktop applications on Windows devices and does not extend to mobile applications (iOS and Android) or using SSO with OAuth through Azure AD.
    This preview supports the following configurations for access to resources with Token Protection Conditional Access policies applied:

    • Windows 10 or newer devices that are Microsoft Entra joined, Microsoft Entra hybrid joined, or Microsoft Entra registered.
    • OneDrive sync client version 22.217 or later
    • Teams native client version 1.6.00.1331 or later
    • Power BI desktop version 2.117.841.0 (May 2023) or later
    • Visual Studio 2022 or later when using the 'Windows authentication broker' Sign-in option
    • Office Perpetual clients aren't supported

    Token Protection works by using the identity of the Entra ID joined device to ensure that tokens can only be used on that specific device.
    For devices that are not Entra ID joined, such as personal devices that are not registered in your company’s domain, Token Protection may not be applicable.

    For more information please Read: Conditional Access: Token protection

    Public Preview: Token Protection for Sign-In Sessions

    Hope this helps. Do let us know if you any further queries by responding in the comments section.

    Thanks,

    Akhilesh.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.