Sign In
In this module

EI0.2 How Authentication Actually Works

50-70 minutes · Module 0 · Free
Operational Objective
A SOC alert fires: "Anomalous token detected — possible token replay." You need to understand what a token is, what type of token was stolen, what the attacker can do with it, and how long it remains valid. Without understanding the authentication flow — authorization codes, access tokens, refresh tokens, and Primary Refresh Tokens — you cannot assess the severity of a token theft alert, design conditional access policies that mitigate token replay, or verify that token protection is working. This subsection gives you that foundation.
Deliverable: A clear understanding of the OAuth 2.0 and OpenID Connect authentication flow in Entra ID, the token types involved at each stage, what each token contains, how long each lives, and why attackers target specific tokens.
⏱ Estimated completion: 15 minutes

What happens when a user signs in

When a user opens Outlook and clicks "Sign in," a sequence of events unfolds that most administrators never see. Understanding this sequence is the foundation for every identity security control in this course — because every attack targets a specific point in this flow, and every defense protects a specific point in this flow.

The authentication flow in Microsoft 365 follows the OAuth 2.0 and OpenID Connect (OIDC) standards. These are not Microsoft-specific — they are industry standards used by every major cloud provider. Microsoft's implementation adds layers of risk evaluation, conditional access policy enforcement, and token binding that are specific to Entra ID, but the underlying flow is standard.

Expand for Deeper Context

Here is what happens, step by step, when a user authenticates to a Microsoft 365 application:

The user opens an application — Outlook, Teams, a browser pointed at portal.office.com. The application does not handle authentication itself. Instead, it redirects the user's browser to the Entra ID authorization endpoint at login.microsoftonline.com. This redirect includes the application's client ID (which application is requesting access), the requested permissions (what the application wants to do), and a redirect URI (where to send the user after authentication succeeds).

Entra ID presents the sign-in page. The user enters their email address, which identifies the tenant. Entra ID then determines which authentication methods are available for this user and presents the appropriate challenge — a password prompt, a passwordless prompt (Authenticator, passkey), or a federated redirect if the organization uses a third-party identity provider.

The user completes primary authentication. For a password-based flow, they enter their password. Entra ID validates it against the stored credential. For a passwordless flow, the user authenticates with a FIDO2 key, a passkey, or a Microsoft Authenticator prompt.

Entra ID evaluates conditional access policies. This is the critical security enforcement point. Before issuing any tokens, Entra ID evaluates every conditional access policy that applies to this sign-in. The evaluation considers the user's identity, the application being accessed, the device state, the network location, the sign-in risk level (from Identity Protection), and the user risk level. Based on this evaluation, Entra ID may grant access, require additional authentication (such as MFA), block access entirely, or apply session controls (such as token protection or sign-in frequency).

If MFA is required, Entra ID presents the second factor challenge. The user completes it — approves a push notification, enters a TOTP code, taps a security key, or completes a passkey authentication. The authentication details array in the sign-in log records exactly which methods were used and in which order.

Entra ID issues an authorization code. This is a short-lived code (typically valid for 10 minutes) that the application exchanges for tokens. The authorization code is single-use — it can be redeemed exactly once.

The application exchanges the authorization code for tokens at the Entra ID token endpoint. This exchange happens server-side (for web applications) or through the platform broker (for native applications). Entra ID returns three tokens: an access token, a refresh token, and an ID token.

ENTRA ID AUTHENTICATION FLOW — FROM SIGN-IN TO TOKEN User Application Entra ID Conditional Access 1. Opens app 2. Redirect to login.microsoftonline.com 3. Auth challenge (password, passkey, MFA) 4. User completes authentication 5. Evaluate CA policies 6. Grant / require MFA / block 7. Authorization code (single-use) 8. Exchange code for tokens 9. Access token + refresh token + ID token 10. User accesses resources Attackers target steps 3, 4, and 9 Credential theft (3-4) or token theft (9)
Figure EI0.2 - How Authentication Actually Works

The tokens: what they are and why attackers want them

The three tokens returned by Entra ID serve different purposes, have different lifetimes, and represent different levels of risk if stolen.

The access token is the credential that applications present to resource APIs (such as the Microsoft Graph API or the Exchange Online API) to prove the user is authorized. Access tokens are short-lived — typically 60 to 90 minutes by default, though some resources use shorter durations. An access token contains the user's identity, the permissions granted, the audience (which API the token is valid for), and the expiration time. When an access token expires, the application must obtain a new one. Because access tokens are short-lived, stealing a single access token gives the attacker a narrow window of access. However, during that window, the attacker has exactly the permissions the token contains.

Expand for Deeper Context

The refresh token is the token that allows applications to obtain new access tokens without requiring the user to re-authenticate. Refresh tokens are longer-lived — by default up to 90 days of inactivity, or until revoked. This is the token that keeps you signed in to Teams or Outlook across reboots and browser sessions. If an attacker steals a refresh token, they can exchange it for new access tokens repeatedly for as long as the refresh token remains valid. This means the attacker maintains persistent access without needing the user's password or MFA again. Refresh token theft is one of the most dangerous identity attacks because it survives password changes unless the refresh token is explicitly revoked.

The ID token is an identity assertion that contains information about the user — their name, email, unique identifier, and the authentication context. ID tokens are used by the application to identify who signed in. They are not presented to resource APIs and are generally less useful to an attacker than access or refresh tokens.

The Primary Refresh Token (PRT) is the most valuable token on a device. The PRT is issued when a user registers a device with Entra ID (Entra joined, hybrid joined, or registered) and is cryptographically bound to the device using the TPM or Secure Enclave. The PRT enables single sign-on (SSO) across all applications on the device — when you sign in to Windows and then open Teams, Outlook, and Edge without being prompted again, the PRT is doing that work. If an attacker extracts the PRT from a compromised device, they can impersonate the user across all applications and all resources. PRT theft is the identity equivalent of stealing the master key.

Where tokens live on the device

Understanding where tokens are stored is essential for both defense (protecting the storage locations) and investigation (knowing where to look for evidence of token theft).

On Windows devices, the PRT is stored in the Cloud AP plugin and protected by the Trusted Platform Module (TPM) when Credential Guard is enabled. Without Credential Guard, the PRT key material is accessible in the LSASS process memory — which is exactly where tools like Mimikatz extract it. Refresh tokens for native applications are managed by the Web Account Manager (WAM) broker and stored in the token cache. Browser-based session tokens (cookies) are stored in the browser's cookie store — for Edge and Chrome, this is a SQLite database in the user's profile directory that malware frequently targets for cookie theft.

Expand for Deeper Context

On macOS devices, the PRT equivalent is protected by the Secure Enclave when the Microsoft Enterprise SSO plugin or Platform SSO is configured. Without these, token material is stored in the Apple Keychain, which provides process-level isolation but is accessible to any process running in the user's context.

On mobile devices (iOS and Android), tokens are stored in the Microsoft Authenticator app's protected storage. The February 2026 Authenticator update added jailbreak and root detection — if a device is jailbroken or rooted, Microsoft Entra credentials in the Authenticator app will first generate warnings, then block, then wipe.

Browser sessions are particularly vulnerable because browser cookie databases are a well-known target for information-stealing malware. A "pass-the-cookie" attack extracts the session cookie from the browser's storage and replays it from another machine. This is distinct from AiTM — pass-the-cookie requires malware on the user's device, while AiTM intercepts the cookie in transit through a proxy. Both result in the attacker holding a valid session token, but the attack vector and the defensive controls differ.

Family of Client IDs (FOCI) and token sharing

An important nuance that many administrators miss: Microsoft applications share tokens through a mechanism called Family of Client IDs (FOCI). When a user authenticates to one Microsoft application (such as Outlook), the resulting refresh token can be exchanged for access tokens to other Microsoft applications in the same family (such as Teams, OneDrive, or SharePoint) — without requiring the user to authenticate again, and without triggering a new sign-in log entry for each application.

From a security perspective, FOCI means that stealing a single refresh token issued to any Microsoft first-party application grants the attacker access to every Microsoft first-party application in the family. The sign-in logs will show the original authentication event but may not show the attacker's subsequent access to other applications obtained through FOCI token exchange. This is why refresh token theft is so dangerous — and why token protection (which binds the refresh token to the device) is a critical defense.

From an investigation perspective, FOCI explains why an attacker can access SharePoint, OneDrive, and Teams without generating separate sign-in events for each. The IR course (specifically IR8 and IR11) covers how to detect this pattern. This course teaches you to deploy token protection and sign-in frequency controls that mitigate it.

⚠ Compliance Myth: "Changing the user's password stops the attacker"

The myth: A user was compromised. We reset their password. The attacker is locked out.

The reality: A password reset invalidates the user's password-based credentials but does not automatically revoke all existing tokens. If the attacker stole a refresh token before the password reset, that refresh token may remain valid depending on the token revocation configuration. If the attacker registered a rogue OAuth application with its own credentials, those application credentials survive the user's password change entirely. Effective remediation requires revoking all sessions (which invalidates refresh tokens and the PRT), resetting the password, reviewing and removing any unauthorized OAuth application consent grants, and reviewing any conditional access or directory changes the attacker may have made during the compromise. EI7 covers token security in depth, and the IR course covers the full remediation workflow.

Where attackers strike in the authentication flow

Understanding the flow reveals the attack surface. Every identity attack in this course targets a specific point:

At the credential step (steps 3-4): Password spray attacks attempt to guess passwords. AiTM phishing attacks present a fake sign-in page that proxies the real Entra ID login, capturing both the user's credentials and the resulting session token after MFA completion. MFA fatigue attacks flood the user with push notifications until they approve one. Each of these attacks targets the moment the user proves their identity — and each is defeated by a different defense that this course teaches you to deploy.

// EI0.2 — What authentication methods are your users using?
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0 and AuthenticationRequirement == "multiFactorAuthentication"
| extend Method = tostring(parse_json(tostring(MfaDetail)).authMethod)
| where isnotempty(Method)
| summarize Users = dcount(UserPrincipalName) by Method
| order by Users desc
// Shows your current MFA method distribution
// Are users on phishing-resistant methods or still on SMS/phone?
Expand for Deeper Context

At the token issuance step (step 9): If the attacker compromises the authentication flow through AiTM or a compromised device, they obtain the tokens Entra ID issues. Token protection (covered in EI7) mitigates this by binding tokens to the specific device that completed authentication — so even if an attacker captures the token, it is useless on a different device.

After authentication: Consent phishing tricks the user into granting an OAuth application permissions (such as Mail.ReadWrite) that the attacker controls. This does not require stealing the user's password or token — the user voluntarily grants the access. Application security (covered in EI9) prevents this by restricting user consent and implementing the admin consent workflow.

At the privilege layer: Once inside, attackers attempt to escalate by modifying directory roles, creating new admin accounts, or adding credentials to existing service principals. PIM (covered in EI6) and detection engineering (covered in EI13) address this.

Every module in this course maps to one or more of these attack points. The Defense Design Method starts with "what attack does this stop" precisely so you always know which point in the flow you are defending.

Try it yourself

Try It — Trace Your Own Authentication Flow

Environment: Your M365 developer tenant.

Exercise: Open an InPrivate/Incognito browser window and sign in to portal.office.com with a test user from your developer tenant. While signing in, pay attention to each step:

1. What happened when you entered the email address? (Tenant identification) 2. What authentication challenge were you presented? (Password? Authenticator?) 3. Were you prompted for a second factor? (MFA requirement) 4. Did you see any consent prompts? (Application permissions)

Now open the Entra admin center → Identity → Monitoring & health → Sign-in logs. Find the sign-in you just performed. Look at the Authentication Details tab — it shows exactly which steps occurred and in which order. Look at the Conditional Access tab — it shows which policies evaluated and what they decided.

This is the telemetry that every module in this course teaches you to use for verification and monitoring.

📋 Investigation Artifact — Token Type Reference

Reference this when triaging identity alerts involving token activity:

Token Type Reference — Identity Security Operations

Access Token

- Purpose: Authorizes access to a specific API/resource

- Default lifetime: 60-90 minutes

- Revocation: Expires naturally; forced revocation via Continuous Access Evaluation (CAE) for supported apps

- Theft impact: Limited window of access to the specific resource

- Mitigation: Short lifetime, CAE-enabled apps, token protection

Refresh Token

- Purpose: Obtains new access tokens without re-authentication

- Default lifetime: Up to 90 days inactive, or until revoked

- Revocation: "Revoke Sessions" in Entra admin center, or password change (if configured)

- Theft impact: Persistent access across reboots and sessions until revoked

- Mitigation: Token protection, sign-in frequency policies, risk-based revocation

Primary Refresh Token (PRT)

- Purpose: Single sign-on across all applications on a registered device

- Default lifetime: 14 days, continuously renewed

- Revocation: Device re-registration, session revocation

- Theft impact: Full impersonation across all resources — the master key

- Mitigation: Credential Guard, TPM-based protection, device compliance

ID Token

- Purpose: Identity assertion for the application

- Default lifetime: 60 minutes (typically same as access token)

- Theft impact: Low — contains identity claims but not resource access

- Mitigation: Standard token handling

Compliance mapping: Token management supports SOC 2 CC6.1 (Logical Access Security), ISO 27001 A.9.4 (System Access Control), and NIST CSF PR.AC-7 (Authentication and Access Management).

Decision point

You are reviewing NE's Entra ID security posture. You find 4 accounts with Global Administrator role, but NE's policy says maximum 2. The extra 2 were added during the AiTM incident for emergency response and never removed. Do you remove them?

Remove them — but through the proper process, not unilaterally. Notify the account owners that their emergency GA assignment is being revoked, confirm they have their standard role assignments restored, and document the removal with the rationale ('emergency assignment during INC-NE-2026-0227-001, no longer required'). Then add a PIR action item: 'Implement PIM time-limited role assignments for future incident response — emergency GA assignments auto-expire after 8 hours rather than persisting indefinitely.' The stale emergency assignment is a governance failure, not a technical failure — the fix is procedural.

NE's Entra ID security audit reveals: 4 Global Administrators (policy says 2), 23 users with Global Reader from a completed project, a break-glass account with no monitoring rule, and 3 guest accounts with no expiry date. Which finding is the highest priority?
The 4 Global Administrators — 2 extra GAs doubles the attack surface.
The break-glass account with no monitoring rule. The 4 GAs and stale Global Readers are governance issues that should be remediated — but they are existing conditions, not active threats. The unmonitored break-glass account is a critical detection gap: if the break-glass account is compromised or misused, the SOC has no alert. A break-glass account is excluded from CA policies by design — it is the most powerful and least restricted account in the tenant. Without monitoring, its compromise or misuse is invisible. Deploy the monitoring rule (any sign-in to the break-glass account = Severity 1 alert) before addressing the other findings.
The 23 stale Global Readers — this is the largest number of affected accounts.
The 3 guest accounts — external accounts without expiry are the highest risk.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've mapped the identity threat landscape and learned to read sign-in logs.

EI0 established that every cloud attack starts with identity. EI1 took you through the signal that matters most — interactive, non-interactive, service principal, and managed identity sign-ins. Now you engineer the defences.

  • 17 engineering modules — authentication methods, conditional access architecture, Identity Protection, PIM, token protection, application governance, and detection rules
  • The Defense Design Method — the six-step framework applied to every identity control you'll build
  • EI18 Capstone — Identity Security Architecture Design — design complete identity architectures for three realistic organisations (SMB, mid-market, regulated enterprise)
  • Identity Security Toolkit lab pack — deployable conditional access policies, PIM configurations, and Identity Protection risk rules
  • Cross-domain detection (EI16) — email-to-identity correlation and the full phishing-to-inbox-rule attack chain
Unlock the full course with Premium See Full Syllabus
← Previous Next →