Token theft detection and Continuous Access Evaluation

Everyone’s proud of their MFA rollout. Every tenant I touch has it on now. Good.

But here’s the thing almost nobody checks: MFA only protects the front door. It proves who you are when you sign in. After that, you get a token, and that token is what actually keeps you logged in.

Steal the password? MFA stops you. Steal the token? You walk straight past it.

That’s the attack that’s quietly winning right now. Adversary-in-the-middle phishing kits don’t bother cracking your second factor. They sit between you and Microsoft, let you complete MFA, and pocket the session token on the way through. Now they’re you — no prompt, no challenge, no trace.

So the question isn’t “have I turned on MFA?” It’s “what happens after the token is issued?” And for most tenants, the honest answer is: nothing, for up to an hour.

What is CAE, really?

A Microsoft 365 access token lasts one hour by default. For that hour, the token is trusted. If you disable a compromised account at minute three, the attacker keeps working until minute sixty.

Continuous Access Evaluation closes that gap.

Instead of waiting for the token to expire, Entra and the app — Exchange, SharePoint, Teams — hold an open conversation. The moment something critical changes, Entra tells the app to stop trusting that token now. Account disabled, password reset, admin revokes sessions, ID Protection flags high risk — the session dies in near real time.

Here’s the part most people miss. CAE is already on. Critical-event evaluation runs in every tenant, no Conditional Access policy required. You don’t switch it on. You just need to not switch it off.

Step-by-Step: lock down the token, not just the login

Confirm CAE is still on

Go to the Entra admin centre → Entra ID → Conditional Access → Policies. Open any policy you’ve built, then look under Session → Customize continuous access evaluation.

If someone’s ticked Disable in there, untick it. That toggle exists for edge cases, and I’ve walked into tenants where it was flipped off years ago and forgotten. Microsoft documents the disable path — read it so you know what you’re looking at.

Stand up a Token Protection policy

CAE kills the session after a known event. Token Protection stops the stolen token being usable in the first place. It cryptographically binds the sign-in token to the device it was issued on. Steal it, move it to your machine, and it’s a dead key.

Create a new Conditional Access policy. Scope it to a pilot group first. Target Exchange Online, SharePoint Online, and Teams. Under Session, tick Require token protection for sign-in sessions.

Set it to report-only

Do not go straight to On. Set the policy to Report-only and let it run. Watch your sign-in logs for “Token Protection – Sign In Session” and look for Bound versus Unbound. The deployment guidance says the same thing, and it’s right — you want to see what breaks before it breaks for a client.

Here’s the session control you’re actually setting:

Session controls:
  Require token protection for sign-in sessions: ON
  Target resources: Exchange Online, SharePoint Online, Teams
  Device requirement: Entra joined / hybrid joined / registered
  Client apps: native desktop + mobile only

Notice what’s missing? Browsers. Token Protection covers native client apps today, not browser sessions. So an attacker who lifts a token through a browser can still replay it. This isn’t the finish line — it’s one layer in a stack that also needs phishing-resistant MFA and compliant devices.

Why this actually changes behaviour

Once you internalise that the token is the credential, your whole threat model shifts.

“We’re fully MFA’d, we’re fine.” No. You’re protected at sign-in. You’re exposed for every minute after it.

CAE shrinks that exposure window from an hour to near-zero. Token Protection makes the stolen token worthless on the wrong machine. Together they move you from “we hope nobody phishes a session” to “even if they do, it dies fast and travels nowhere.”

And it costs you nothing extra to start. CAE ships in the box. Token Protection now needs only Entra ID P1 — which your Business Premium clients already have.

MFA was the conversation three years ago. Token theft is the conversation now. If you’re still selling clients on the front door while attackers climb through the session, you’re protecting the wrong thing.

MFA proves who walked in. CAE and Token Protection make sure they can’t stay in once you’ve shown them the door.