{"id":3024,"date":"2024-08-28T18:30:07","date_gmt":"2024-08-28T18:30:07","guid":{"rendered":"https:\/\/www.intellisecsolutions.com\/2024\/08\/28\/protegez-vous-contre-le-vol-de-jetons-dans-microsoft-entra-id\/"},"modified":"2024-08-28T18:30:07","modified_gmt":"2024-08-28T18:30:07","slug":"protegez-vous-contre-le-vol-de-jetons-dans-microsoft-entra-id","status":"publish","type":"post","link":"https:\/\/www.intellisecsolutions.com\/fr\/2024\/08\/28\/protegez-vous-contre-le-vol-de-jetons-dans-microsoft-entra-id\/","title":{"rendered":"Prot\u00e9gez-vous contre le vol de jetons dans Microsoft Entra ID"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"3024\" class=\"elementor elementor-3024\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1ee65115 e-con-full-nospace e-flex e-con e-parent\" data-id=\"1ee65115\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;full-nospace&quot;}\" data-sticky-container=\"\">\r\n\t\t\t\t<div class=\"elementor-element elementor-element-381e2096 cms-eptitle-overlay-1 elementor-widget elementor-widget-cms_page_title\" data-id=\"381e2096\" data-element_type=\"widget\" data-widget_type=\"cms_page_title.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<div class=\"cms-eptitle-overlay cms-overlay cms-bg-parallax cms-lazy\" style=\"--cms-bg-lazyload:url(https:\/\/www.intellisecsolutions.com\/wp-content\/uploads\/2024\/08\/digital-8280787_1280.jpg);background-image:var(--cms-bg-lazyload-loaded);background-position:top center;\"><div class=\"cms-eptitle-overlay-shadow cms-overlay rtl-flip\"><\/div><\/div>\n<div class=\"cms-eptitle cms-eptitle-1 relative z-top text-start\">\n\t<div class=\"cms-content container text-start d-flex justify-content-start\">\n\t\t<div class=\"cms--content d-flex justify-content-start\">\n\t\t\t<div class=\"cms-small-title pb-10 w-100 text-15 text-uppercase pt-5 text-white ls-06 empty-none\"><\/div>\n\t\t\t<h1 class=\"cms-title lh-11538 text-65 text-tablet-50 text-mobile-30 text-white w-100 empty-none\"> <\/h1>\n\t\t\t<div class=\"cms-desc pt-20 w-100 text-17 text-white empty-none\"><\/div>\n\t\t\t<div class=\"d-flex align-items-center gap empty-none w-100 pt-35 justify-content-start\" style=\"--cms-gap:30px;--cms-gap-tablet:30px;--cms-gap-mobile:20px;\"><\/div>\n\t\t\t<ul class=\"cms-breadcrumb unstyled text-white text-hover-white justify-content-start\"><li><span class=\"breadcrumb-entry\" >Accueil<\/span><\/li><\/ul>\t\t<\/div>\n\t<\/div>\n<\/div>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\r\n\t\t<div class=\"elementor-element elementor-element-5e40ac2a e-flex e-con-boxed e-con e-parent\" data-id=\"5e40ac2a\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-sticky-container=\"\">\r\n\t\t\t\t\t<div class=\"e-con-inner\">\r\n\t\t\t\t<div class=\"elementor-element elementor-element-468a2d90 elementor-widget elementor-widget-spacer\" data-id=\"468a2d90\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.23.0 - 05-08-2024 *\/\n.elementor-column .elementor-spacer-inner{height:var(--spacer-size)}.e-con{--container-widget-width:100%}.e-con-inner>.elementor-widget-spacer,.e-con>.elementor-widget-spacer{width:var(--container-widget-width,var(--spacer-size));--align-self:var(--container-widget-align-self,initial);--flex-shrink:0}.e-con-inner>.elementor-widget-spacer>.elementor-widget-container,.e-con>.elementor-widget-spacer>.elementor-widget-container{height:100%;width:100%}.e-con-inner>.elementor-widget-spacer>.elementor-widget-container>.elementor-spacer,.e-con>.elementor-widget-spacer>.elementor-widget-container>.elementor-spacer{height:100%}.e-con-inner>.elementor-widget-spacer>.elementor-widget-container>.elementor-spacer>.elementor-spacer-inner,.e-con>.elementor-widget-spacer>.elementor-widget-container>.elementor-spacer>.elementor-spacer-inner{height:var(--container-widget-height,var(--spacer-size))}.e-con-inner>.elementor-widget-spacer.elementor-widget-empty,.e-con>.elementor-widget-spacer.elementor-widget-empty{position:relative;min-height:22px;min-width:22px}.e-con-inner>.elementor-widget-spacer.elementor-widget-empty .elementor-widget-empty-icon,.e-con>.elementor-widget-spacer.elementor-widget-empty .elementor-widget-empty-icon{position:absolute;top:0;bottom:0;left:0;right:0;margin:auto;padding:0;width:22px;height:22px}<\/style>\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-23421dff elementor-widget elementor-widget-cms_breadcrumb\" data-id=\"23421dff\" data-element_type=\"widget\" data-widget_type=\"cms_breadcrumb.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<div class=\"cms-ebreadcrumb cms-breadcrumb cms-breadcrumb-1 d-flex\">\n    <ul class=\"cms-breadcrumb unstyled\"><li><span class=\"breadcrumb-entry\" >Accueil<\/span><\/li><\/ul><\/div>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-67e54415 elementor-widget elementor-widget-cms_heading\" data-id=\"67e54415\" data-element_type=\"widget\" data-widget_type=\"cms_heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<div class=\"cms-eheading cms-eheading-1 text-start\">\n\t<div class=\"cms-smallheading text-accent pb-10 text-16 font-600 empty-none\">S\u00e9curit\u00e9 du Cloud<\/div>\n\t<h2 class=\"cms-heading empty-none text-heading lh-1375\">Prot\u00e9gez-vous contre le vol de jetons dans Microsoft Entra ID<\/h2>\n<\/div>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\r\n\t\t\t\t<\/div>\r\n\t\t<div class=\"elementor-element elementor-element-3058a6b9 e-flex e-con-boxed e-con e-parent\" data-id=\"3058a6b9\" data-element_type=\"container\" data-settings=\"{&quot;content_width&quot;:&quot;boxed&quot;}\" data-sticky-container=\"\">\r\n\t\t\t\t\t<div class=\"e-con-inner\">\r\n\t\t\t\t<div class=\"elementor-element elementor-element-641d0a1f elementor-widget elementor-widget-text-editor\" data-id=\"641d0a1f\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.23.0 - 05-08-2024 *\/\n.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#69727d;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#69727d;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}<\/style>\t\t\t\t<h4 class=\"wp-block-heading\">How Token Generation and Authentication Work?<\/h4><p>Token generation and authentication in Entra ID involve a sophisticated process designed to secure user identities and control access to resources. Understanding this process is crucial for identifying potential vulnerabilities and implementing safeguards.<\/p><p><strong>User Authentication<\/strong><\/p><p><strong><br \/><\/strong>The process begins when a user attempts to access a resource protected by Entra ID. The user must first prove their identity, typically by providing credentials such as a username and password.<\/p><p>For enhanced security, Entra ID supports Multi-Factor Authentication (MFA), which requires additional verification methods such as a phone call, SMS, or an authentication app. MFA significantly reduces the risk of unauthorized access due to compromised credentials.<\/p><p>Entra ID also supports passwordless authentication methods like biometrics (fingerprint or facial recognition) and FIDO2 security keys, further strengthening security.<\/p><p><strong>Token Issuance:<\/strong><\/p><p>Once the user is successfully authenticated, Entra ID issues a set of tokens, including the Primary Refresh Token (PRT), Access Token, and ID Token.<\/p><ul><li><strong>Primary Refresh Token (PRT):<\/strong>\u00a0A key component in Entra ID\u2019s Continuous Access Evaluation (CAE) model, the PRT is a long-lived token stored securely on the user\u2019s device. It silently requests new Access Tokens as needed, containing claims such as the user\u2019s identity, device ID, and additional security attributes.<\/li><li><strong>Access Token:<\/strong>\u00a0This short-lived token, typically valid for one hour, contains claims about the user, granted scopes (permissions), and other metadata required for accessing specific resources.<\/li><li><strong>ID Token:<\/strong>\u00a0Primarily used by applications to obtain basic information about the authenticated user, such as their username and email address. The ID Token is crucial for establishing the user\u2019s identity within the application, though it is not typically involved in resource access.<\/li><\/ul><p><strong>Session Keys and Secure Storage<\/strong><\/p><p>\u00a0<\/p><p>Along with the PRT, Entra ID generates a Session Key, securely stored within the device\u2019s Trusted Platform Module (TPM) or an equivalent hardware security module. The TPM ensures that sensitive data like the Session Key cannot be easily extracted or tampered with by malware or attackers. If the device lacks TPM support, Entra ID employs software-based encryption mechanisms, although these are considered less secure.<\/p><p><strong>Token Types and Lifetimes<\/strong><\/p><p>Entra ID issues different types of tokens, each with distinct purposes and lifetimes:<\/p><ul><li><strong>Access Tokens:<\/strong>\u00a0Short-lived tokens used for accessing resources such as APIs, files, or other services. Their short lifespan helps minimize the impact if a token is compromised.<\/li><li><strong>Refresh Tokens:<\/strong>\u00a0Long-lived tokens used to request new Access Tokens without requiring the user to re-authenticate, generally valid for up to 90 days.<\/li><li><strong>Primary Refresh Token (PRT):<\/strong>\u00a0Valid for 14 days, the PRT is essential for seamless access across sessions and resources, with silent renewal if the user is active.<\/li><\/ul><p>Entra ID\u2019s token expiration policies are designed to balance security with user convenience. By using short-lived Access Tokens and leveraging PRT and Refresh Tokens, Entra ID limits the potential damage if a token is stolen.<\/p><p><strong>Token Encryption and Validation<\/strong><\/p><p>All tokens issued by Entra ID are signed using asymmetric keys, ensuring that they cannot be tampered with or forged. The signature is validated by the resource server or API when the token is presented, confirming its integrity and authenticity.<\/p><p>Tokens are also encrypted to protect sensitive information if intercepted during transmission. Entra ID supports Conditional Access policies that dynamically evaluate access requests based on signals such as user location, device compliance, and risk level, potentially enforcing additional authentication or denying access even if the token is valid.<\/p><p><strong>Continuous Access Evaluation (CAE):<\/strong><\/p><p>Entra ID leverages Continuous Access Evaluation (CAE) to further enhance security. CAE allows for real-time policy enforcement and token revocation. If a user\u2019s risk level changes or anomalous activity is detected, Entra ID can immediately invalidate tokens, forcing re-authentication to prevent unauthorized access. CAE is particularly effective when a token has been compromised but is still within its validity period, proactively mitigating the risk.<\/p><h4 class=\"wp-block-heading\"><span id=\"Token_Theft\" class=\"ez-toc-section\"><\/span>Token Theft<\/h4><p>\u00a0<\/p><h5 class=\"wp-block-heading\"><span id=\"Understanding_Tokens_and_Their_Value\" class=\"ez-toc-section\"><\/span><strong>Understanding Tokens and Their Value:<\/strong><\/h5><p>\u00a0<\/p><p>In Entra ID, tokens are essential for granting access to resources without repeatedly asking users to re-enter credentials. However, this convenience makes tokens a prime target for attackers. If an attacker obtains a valid token, they can impersonate the user and access resources without detection.<\/p><h5 class=\"wp-block-heading\"><span id=\"Common_Methods_of_Token_Theft\" class=\"ez-toc-section\"><\/span>Common Methods of Token Theft<\/h5><p>\u00a0<\/p><ul><li><strong>Phishing Attacks:<\/strong>\u00a0Attackers trick users into visiting malicious websites resembling legitimate login pages. Upon entering credentials, attackers capture them and obtain tokens from Entra ID. In some cases, attackers can directly steal tokens if the user is already authenticated.<\/li><li><strong>Man-in-the-Middle (MitM) Attacks:<\/strong>\u00a0In MitM attacks, attackers intercept communications between a user and a service. If these communications are not properly encrypted, attackers can capture tokens in transit.<\/li><li><strong>Malware:<\/strong>\u00a0Malware can be designed to extract tokens from a user\u2019s device, using methods like keyloggers or browser exploits. More sophisticated malware may target the device\u2019s memory or TPM where session keys are stored.<\/li><li><strong>Session Hijacking:<\/strong>\u00a0Session hijacking occurs when an attacker takes control of a user\u2019s active session, often by stealing a session cookie containing a token. This can happen if the user\u2019s device is compromised or connected to an insecure network.<\/li><li><strong>Token Replay Attacks:<\/strong>\u00a0In a replay attack, an attacker captures a token and reuses it to gain unauthorized access to resources.<\/li><\/ul><h5 class=\"wp-block-heading\"><span id=\"Targeting_Specific_Token_Types\" class=\"ez-toc-section\"><\/span>Targeting Specific Token Types<\/h5><p>\u00a0<\/p><ul><li><strong>Access Tokens:<\/strong>\u00a0These tokens provide direct access to APIs, services, and data. Although short-lived, they can still cause significant harm if stolen and used quickly.<\/li><li><strong>Refresh Tokens:<\/strong>\u00a0With a longer lifespan, refresh tokens are even more valuable to attackers, allowing them to maintain access over an extended period.<\/li><li><strong>Primary Refresh Token (PRT):<\/strong>\u00a0The PRT is critical in the Entra ID ecosystem. If compromised, it allows attackers to continuously request new access and refresh tokens without needing the user\u2019s credentials.<\/li><\/ul><h5 class=\"wp-block-heading\"><span id=\"Token_Binding\" class=\"ez-toc-section\"><\/span>Token Binding<\/h5><p>\u00a0<\/p><p>Token Binding is a security mechanism designed to enhance the security of token-based authentication systems by binding tokens to a specific client or device. This process mitigates risks associated with token theft and replay attacks.<\/p><ul><li><strong>Cryptographic Binding:<\/strong>\u00a0Token Binding uses cryptographic keys to link a token to a specific client, making it unusable by attackers who lack the corresponding private key.<\/li><li><strong>Sender Constraining:<\/strong>\u00a0Ensures that the token is only valid when presented by the client that originally received it.<\/li><li><strong>Enhanced Security:<\/strong>\u00a0Binding tokens to specific devices or sessions significantly reduces the risk of token misuse, improving overall security in token-based authentication systems.<\/li><\/ul><h4 class=\"wp-block-heading\"><span id=\"Primary_Refresh_Token_PRT\" class=\"ez-toc-section\"><\/span>Primary Refresh Token (PRT)<\/h4><p>\u00a0<\/p><p>The Primary Refresh Token (PRT) is a critical component of Microsoft Entra ID\u2019s authentication framework, particularly for Windows 10 and newer devices. It facilitates single sign-on (SSO) experiences across applications while maintaining security.<\/p><ul><li><strong>Issuance:<\/strong>\u00a0A PRT is issued when a user successfully authenticates on a registered device. It is tied to the device and used to obtain new access tokens without requiring the user to re-authenticate.<\/li><li><strong>Claims and Security:<\/strong>\u00a0The PRT contains various claims, including a device ID and a session key, which is securely encrypted and acts as proof of possession.<\/li><li><strong>Lifetime and Renewal:<\/strong>\u00a0A PRT typically has a 14-day validity period but can be continuously renewed as long as the user actively uses the device.<\/li><li><strong>Protection Mechanisms:<\/strong>\u00a0PRTs are protected by binding them to the device on which they were issued, enforced through hardware security features like the Trusted Platform Module (TPM).<\/li><\/ul><h4 class=\"wp-block-heading\"><span id=\"How_to_protect_against_token_theft\" class=\"ez-toc-section\"><\/span>How to protect against token theft<\/h4><p>To enable token protection, organizations can configure Conditional Access policies with key features:<\/p><ul class=\"wp-block-list\"><li><strong>Require Token Protection for Sign-In Sessions:<\/strong>\u00a0Mandating that all sign-in sessions must use tokens bound to the authenticated device ensures that only legitimate sessions can access protected resources.<\/li><\/ul><p>More information about this can be found in the documentation link:<\/p><p><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/concept-token-protection\">https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/concept-token-protection<\/a><\/p><figure class=\"wp-block-image size-full is-resized\"><img fetchpriority=\"high\" decoding=\"async\" class=\"wp-image-361 aligncenter\" src=\"https:\/\/laythchebbi.com\/wp-content\/uploads\/2024\/08\/image-11.png\" sizes=\"(max-width: 755px) 100vw, 755px\" srcset=\"https:\/\/laythchebbi.com\/wp-content\/uploads\/2024\/08\/image-11.png 755w, https:\/\/laythchebbi.com\/wp-content\/uploads\/2024\/08\/image-11-300x267.png 300w\" alt=\"\" width=\"267\" height=\"238\" \/><\/figure><ul class=\"wp-block-list\"><li><strong>Device Compliance:<\/strong>\u00a0Policies can require that devices used for accessing resources meet specific compliance criteria, such as being registered with Azure Active Directory (AAD) and having necessary security configurations in place.<\/li><li><strong>Supported Resources:<\/strong>\u00a0Token protection is initially applied to high-value resources such as Microsoft Exchange and SharePoint, with plans to extend protection to other applications and services.<\/li><li><strong>Proof-of-Possession Mechanism:<\/strong>\u00a0When accessing a resource, the system checks for proof of possession, verifying that the client can access a private key stored on the device.<\/li><\/ul><h4 class=\"wp-block-heading\"><span id=\"Conclusion\" class=\"ez-toc-section\"><\/span>Conclusion<\/h4><p>\u00a0<\/p><p>Token security is vital in modern authentication, particularly within Entra ID. By understanding how tokens are generated and protected, organizations can better defend against threats. Entra ID\u2019s advanced mechanisms, such as the Primary Refresh Token (PRT) and Continuous Access Evaluation (CAE), provide secure access but also introduce vulnerabilities that attackers exploit. Implementing strong protection strategies like Conditional Access policies and Token Binding can significantly enhance security. As reliance on cloud services increases, mitigating token theft risks remains essential. Proactive measures will ensure tokens effectively safeguard user identities and access to critical resources.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3c918060 elementor-widget elementor-widget-spacer\" data-id=\"3c918060\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\r\n\t\t\t\t<\/div>\r\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>La g\u00e9n\u00e9ration de jetons et l&#8217;authentification dans Entra ID impliquent un processus sophistiqu\u00e9 con\u00e7u pour s\u00e9curiser les identit\u00e9s des utilisateurs et contr\u00f4ler l&#8217;acc\u00e8s aux ressources.<br \/>\nIl est essentiel de comprendre ce processus pour identifier les vuln\u00e9rabilit\u00e9s potentielles et mettre en \u0153uvre des mesures de protection. <\/p>","protected":false},"author":1,"featured_media":3011,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[32],"tags":[],"class_list":["post-3024","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-securite-de-linformatique-en-nuage"],"_links":{"self":[{"href":"https:\/\/www.intellisecsolutions.com\/fr\/wp-json\/wp\/v2\/posts\/3024","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intellisecsolutions.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intellisecsolutions.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intellisecsolutions.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intellisecsolutions.com\/fr\/wp-json\/wp\/v2\/comments?post=3024"}],"version-history":[{"count":0,"href":"https:\/\/www.intellisecsolutions.com\/fr\/wp-json\/wp\/v2\/posts\/3024\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.intellisecsolutions.com\/fr\/wp-json\/wp\/v2\/media\/3011"}],"wp:attachment":[{"href":"https:\/\/www.intellisecsolutions.com\/fr\/wp-json\/wp\/v2\/media?parent=3024"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intellisecsolutions.com\/fr\/wp-json\/wp\/v2\/categories?post=3024"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intellisecsolutions.com\/fr\/wp-json\/wp\/v2\/tags?post=3024"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}