Token protection prevents someone taking the token out of the device. With a man in the middle, the token is actually issued to the man in the middle.
To be effective you need to implement device compliance plus token protection. This will ensure the token is issued to the correct device in the first place.
Token protection does tie the token with the session key of the user, which is generated when the user's device joins the entra. So if the evil guy steals the token, it will not be effective as that token can only work on the user's machine because of the link between the session key and tokens.
That is true for tokens stolen after they are issued to the Entra joined device.
However, with an attacker in the middle intercepting the initial token issuance. The token is issued to the attacker's device which is not joined to Entra.
In terms of protection, what about token protection conditional access policies?
https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection
Token protection prevents someone taking the token out of the device. With a man in the middle, the token is actually issued to the man in the middle.
To be effective you need to implement device compliance plus token protection. This will ensure the token is issued to the correct device in the first place.
Token protection does tie the token with the session key of the user, which is generated when the user's device joins the entra. So if the evil guy steals the token, it will not be effective as that token can only work on the user's machine because of the link between the session key and tokens.
That is true for tokens stolen after they are issued to the Entra joined device.
However, with an attacker in the middle intercepting the initial token issuance. The token is issued to the attacker's device which is not joined to Entra.