Microsoft Entra Client Access Token

Detects Microsoft Entra (formerly Azure AD) client access token patterns. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.

Type

regex

Engine

universal

Confidence

medium

Confidence justification

Medium confidence: JWT format is common across many identity providers. Corroborative evidence keywords specific to Microsoft Entra improve accuracy. Added context gating and exclusion rules improve precision and reduce incidental matches.

Detection quality

Verified

Jurisdictions

global

Regulations

Criminal Code Act 1995 (Cth)

Frameworks

CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2

Data categories

credentials, security

Scope

specific

Risk rating

10

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible

Pattern

\beyJ[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\b

Corroborative evidence keywords

Entra, Azure AD, access_token, bearer, login.microsoftonline.com, Microsoft identity, OAuth, client credentials, api key, api_key, apikey, access key, access token, auth token, authorization, conn str, connection string, connectionstring, cookie, credential (+44 more)

Proximity: 300 characters

Should match

• eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiYXVkIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0.AAAAAAAAAAAAAAAAAAAAAAAA — JWT access token with Entra-like structure
• eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20ifQ.BBBBBBBBBBBBBBBBBBBBBBBB — JWT with Microsoft login issuer
• eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXN0IjoiMDAwMDAwMDAwMDAwMDAwMDAwMDAwMCJ9.CCCCCCCCCCCCCCCCCCCCCCCC — JWT access token with test payload

Should not match

• eyJhbGci — Truncated JWT header, not a complete token
• This is not a JWT token — Plain text, not a token
• template example placeholder record identifier — Template/sample context should be excluded even when anchor words are present

Known false positives

• JWT tokens from non-Microsoft identity providers that share the same format. Mitigation: Check for Microsoft Entra specific claims (iss, aud) or corroborative keywords.
• Expired or revoked access tokens in logs and audit trails. Mitigation: Flag for review since the token structure may reveal tenant and application details.

References

• Microsoft Entra client access token entity definition - Microsoft Learn