Token Protection — Solving Microsoft 365

Token protection (formerly token binding) is a Microsoft Entra ID Conditional Access capability that cryptographically binds access tokens to the device they were issued on. When the token is presented to a resource service, the binding is verified — a stolen token replayed from a different device fails. Mitigation for token theft attacks including adversary-in-the-middle (AitM) phishing and post-compromise lateral movement. Configured as a CA control: "Require token protection for sign-in sessions." Available for specific workloads (Exchange, SharePoint, Microsoft Graph) with broader coverage rolling out. Combine with phishing-resistant MFA (FIDO2, passkeys) and Continuous Access Evaluation for the strongest defence against modern token attacks.