![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 25%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENB%3C/text%3E%3C/svg%3E)
25,161 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 46%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hello @Neil Beytagh,
Thank you for posting your query on Microsoft Q&A.
Based on your description, I understand that you have created a Conditional Access policy with the session control "Require token protection for sign-in sessions (Preview)" for Office 365 Exchange Online and Office 365 SharePoint Online. It looks like you're encountering an error due to an unbound token.
It looks like your device does not have a valid PRT token. Could you please confirm by running dsregcmd /status in Command Prompt and checking the AzureAdPrt value under the SSO State section to verify if a valid PRT is issued? Also, ensure that the device is joined to Microsoft Entra with the same user account that you are authenticating with, as either: Microsoft Entra joined, Microsoft Entra hybrid joined, Microsoft Entra registered
During the first sign-in on a device, a Primary Refresh Token (PRT) is issued by signing requests using the device key, which is cryptographically generated during device registration. On devices with a valid and functioning TPM (Trusted Platform Module), the device key is secured by the TPM to prevent unauthorized access. A PRT will not be issued if the corresponding device key signature cannot be validated. If the device has a valid and functioning TPM, the private keys are bound to the device's TPM, while the public keys are sent to Microsoft Entra ID.
Please refer to the following documentation and ensure that all prerequisites are met: Token Protection for Sign-in Sessions – Requirements
o further troubleshoot this issue, please share the complete error message displayed on your screen when accessing M365ChatClient. Additionally, I would like to connect with you offline—please share your contact details via private message.