Detecting OAuth Token Theft When to Use - Investigating alerts for impossible travel or anomalous token usage in Microsoft Entra ID - Responding to a suspected session hijacking or pass-the-cookie attack - Configuring proactive defenses against OAuth token theft in an Azure/M365 environment - Detecting OAuth device code phishing campaigns that bypass MFA - Analyzing sign-in logs for token replay indicators - Implementing Token Protection conditional access policies to bind tokens to devices Do not use for on-premises Kerberos ticket attacks (pass-the-ticket, golden ticket); use Active Directo…