I don't see how this will improve token theft security. The device ID or what ever that will be, can and will be stolen as well. The only thing that is indeed a major improvement is bounding the IP to your jwt token. Also the mentioning of reauthorization, means the whole purpose of jwts will be rendered useless (decentralized auth). In my opinion sso/jwt has always been unsecure, I appreciate that ms entry seems to work around it, to improve security...