I sat down with an IT provider today who stated they don’t use SSO because its insecure.
They said its insecure because if the Token gets stolen from the Vendor then the token could be used to authenticate to other providers.
Solutions
Microsoft has protection against this using CA only seems to protect employees who are logging in via an Azure AD machine, which all our work computers are.
However, there is another Conditional Access feature that can protect you: Risk-based user sign-in protection in Azure Active Directory – Microsoft Entra | Microsoft Learn. With this turned on, a user attempting to connect using the stolen credential from an unusual IP address should trigger an MFA prompt, which the attacker will not be able to complete.
How to break the token theft cyber-attack chain – Microsoft Community Hub
Token protection ( Preview Only Supports 365 Apps and Services during Preview at the moment )
Binds the token to the device so it can’t be used elsewhere
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection
Loading...