jspωiki
Primary Refresh Token

Overview#

Primary Refresh Token (PRT) is a key artifact of Microsoft Azure AD authentication on Windows 10, Windows Server 2016 and later versions, IOS, and Android devices.

Primary Refresh Token is a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable Single Sign-On (SSO) across the applications used on those devices.

Primary Refresh Token contains claims generally contained in any Azure AD Refresh Token and some device-specific claims as follows:

  • Device ID: A Primary Refresh Token is issued to a specific Microsoft Account on a specific device. The device ID claim deviceID determines the device the Primary Refresh Token was issued to the user on. This claim is later issued to tokens obtained via the PRT. The device ID claim is used to determine authorization for Conditional Access based on device state or compliance.
  • Session Key: The session key is an encrypted Symmetric Key, generated by the Azure AD authentication service, issued as part of the PRT. The session key acts as the Proof-of-Possession when a PRT is used to obtain tokens for other applications.

How is a Primary Refresh Token issued?#

Device registration is a prerequisite for device based authentication in Azure AD. A PRT is issued to users only on registered devices. For more in-depth details on device registration, see the article Windows Hello for Business and Device Registration. During device registration, the dsreg component generates two sets of cryptographic key pairs:
  • Device key (dkpub/dkpriv)
  • Transport key (tkpub/tkpriv)
The Private Keys are bound to the device’s TPM if the device has a valid and functioning TPM, while the Public Keys are sent to Azure AD during the device registration process and are used to validate the device state during PRT requests.

The PRT is issued during user authentication on a Windows 10 device in two scenarios:

  • Azure AD joined or Hybrid Azure AD joined: A PRT is issued during Windows Logon when a user signs in with their organization credentials. A PRT is issued with all Windows 10 supported credentials, for example, password and Windows Hello for Business. In this scenario, Azure AD CloudAP plugin is the primary authority for the PRT.
  • Azure AD registered device: A PRT is issued when a user adds a secondary work account to their Windows 10 device. Users can add an account to Windows 10 in two different ways -
    • Adding an account via the Use this account everywhere on this device prompt after signing in to an app (for example, Outlook)
    • Adding an account from Settings > Accounts > Access Work or School > Connect
In Azure AD registered device scenarios, the Azure AD WAM plugin is the primary authority for the PRT since Windows logon is not happening with this Azure AD account.

Note#

Third-party Identity Providers need to support the WS-Trust protocol to enable PRT issuance on Windows 10 devices. Without WS-Trust, PRT cannot be issued to users on Hybrid Azure AD joined or Azure AD joined devices. On ADFS only username mixed endpoints are required. Both adfs/services/trust/2005/windowstransport and adfs/services/trust/13/windowstransport should be enabled as intranet facing endpoints only and MUST NOT be exposed as Extranet facing endpoints through the Web Application Proxy

What is the lifetime of a PRT?#

Once issued, a PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device.

Keep in Mind#

A Primary Refresh Token is only issued and renewed during Native application authentication. A Primary Refresh Token is not renewed or issued during a browser session.

In Azure AD joined and hybrid Azure AD joined devices, the CloudAP plugin is the primary authority for a PRT. If a PRT is renewed during a WAM-based token request, the PRT is sent back to CloudAP plugin, which verifies the validity of the PRT with Azure AD before accepting it.

More Information#

There might be more information for this subject on one of the following: