Overview#Primary Refresh Token (PRT) is a key artifact of Microsoft Azure AD authentication on Windows 10, Windows Server 2016 and later versions, IOS, and Android devices.
- Device ID: A Primary Refresh Token is issued to a specific Microsoft Account on a specific device. The device ID claim deviceID determines the device the Primary Refresh Token was issued to the user on. This claim is later issued to tokens obtained via the PRT. The device ID claim is used to determine authorization for Conditional Access based on device state or compliance.
- Session Key: The session key is an encrypted Symmetric Key, generated by the Azure AD authentication service, issued as part of the PRT. The session key acts as the Proof-of-Possession when a PRT is used to obtain tokens for other applications.
How is a Primary Refresh Token issued?#Device registration is a prerequisite for device based authentication in Azure AD. A PRT is issued to users only on registered devices. For more in-depth details on device registration, see the article Windows Hello for Business and Device Registration. During device registration, the dsreg component generates two sets of cryptographic key pairs:
- Device key (dkpub/dkpriv)
- Transport key (tkpub/tkpriv)
The PRT is issued during user authentication on a Windows 10 device in two scenarios:
- Azure AD joined or Hybrid Azure AD joined: A PRT is issued during Windows Logon when a user signs in with their organization credentials. A PRT is issued with all Windows 10 supported credentials, for example, password and Windows Hello for Business. In this scenario, Azure AD CloudAP plugin is the primary authority for the PRT.
- Azure AD registered device: A PRT is issued when a user adds a secondary work account to their Windows 10 device. Users can add an account to Windows 10 in two different ways -
- Adding an account via the Use this account everywhere on this device prompt after signing in to an app (for example, Outlook)
- Adding an account from Settings > Accounts > Access Work or School > Connect
Note#Third-party Identity Providers need to support the WS-Trust protocol to enable PRT issuance on Windows 10 devices. Without WS-Trust, PRT cannot be issued to users on Hybrid Azure AD joined or Azure AD joined devices. On ADFS only username mixed endpoints are required. Both adfs/services/trust/2005/windowstransport and adfs/services/trust/13/windowstransport should be enabled as intranet facing endpoints only and MUST NOT be exposed as Extranet facing endpoints through the Web Application Proxy PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device.
Keep in Mind#A Primary Refresh Token is only issued and renewed during Native application authentication. A Primary Refresh Token is not renewed or issued during a browser session.
In Azure AD joined and hybrid Azure AD joined devices, the CloudAP plugin is the primary authority for a PRT. If a PRT is renewed during a WAM-based token request, the PRT is sent back to CloudAP plugin, which verifies the validity of the PRT with Azure AD before accepting it.