Awesome....Thank you for explaining and showing! This is exactly what i needed to make our environment secured.

Great Overview Nick. Loved the Star Wars analogy for describing token Theft :) You make a really good point about the browser on an unmanaged device. I suppose this is another reason why we should be blocking users from logging on to web browsers using their personal accounts.

Superb presentation, elevated with Star Wars. Good work nick ❤

Thank you for sharing. The information is very impressive, as is the description of the necessary conditions to apply the methods for preventing token theft.

Microsoft added a template for this as normal MFA is so utterly useless. The template is called "require mdm-enrolled and compliant devices to access cloud apps for all users (Preview)"

Nick - would rolling up MFA to Passkeys solve this problem upfront? Where if the session token is stolen from a user enrolled with Passkey - the thief would not be able to use it because they couldn't authenticate with device that the Passkey is on due to lack of proximity?

It sounds like there is no fix for people who use their home computers to get remote access to company resources unless MS allows token binding to non joined machines?

I’m a little confused about what you say around the 11:10 mark. If the user signs in fram a compliant device - the user is granted an access token. Surely that token would be able to replay from another browser? Why wouldn’t it? Once I have your authenticated session from your hybrid joined compliant device - entra will let me in. Or am I misunderstanding something?

I never use Compliant devices in a CA because it's too buggy. Devices fall off of compliance all the time. I much prefer to use Azure registered and joined. Make sure you pair that policy with one asking for MFA to enroll a device to be safe.

10 minutes in and find out that security settings are hidden behind more licensing. Thanks Microsoft.

So I understand all the concepts for the Conditional Access policies to prevent token theft except for the compliant devices policy. In theory if the user is already authenticated with a compliant device and the attacker grabbed that token wouldn't they be able to login since that token already satisfied the compliant devices policies? I didn't think device compliance was actively checked besides the initial login unless you had something like session timeouts where you needed to reauthenticate as it expires. I do get the premise that a compliant device would be harder for an attacker to compromise and grab a token due to corporate security.

Thanks for the video; it was very informative. I have a question: MCAS has its own policies for protecting against stolen access tokens by implementing "session access". Would you recommend using those policies in addition to Entra ID, or should we rely solely on Entra ID? Or is that different as it seems the MCAS session policies are very granular...