<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([PRT]) is a key artifact of [Microsoft] [Azure] AD [authentication] on [Windows 10], [Windows Server 2016] and later versions, [IOS], and [Android] devices. 


[{$pagename}] is a [JSON Web Token] ([JWT]) specially issued to [Microsoft] first party [token] brokers to enable [Single Sign-On] ([SSO]) across the [applications] used on those devices. 

[{$pagename}] contains [claims] generally contained in any [Azure] AD [Refresh Token] and some [device]-specific [claims] as follows:

* Device ID: A [{$pagename}] is issued to a specific [Microsoft Account] on a specific [device]. The device ID [claim] deviceID determines the device the [{$pagename}] was issued to the user on. This [claim] is later issued to tokens obtained via the PRT. The device ID claim is used to determine authorization for Conditional Access based on device state or compliance.
* [Session Key]: The session key is an [encrypted] [Symmetric Key], generated by the [Azure] AD authentication service, issued as part of the [PRT]. The session key acts as the [Proof-of-Possession] when a PRT is used to obtain [tokens] for other [applications].


!! How is a [{$pagename}] issued?
Device registration is a prerequisite for device based authentication in Azure AD. A PRT is issued to users only on registered devices. For more in-depth details on device registration, see the article Windows Hello for Business and Device Registration. During device registration, the dsreg component generates two sets of cryptographic key pairs:

* Device key (dkpub/dkpriv)
* Transport key (tkpub/tkpriv)
The [Private Keys] are bound to the device’s [TPM] if the device has a valid and functioning [TPM], while the [Public Keys] are sent to [Azure] AD during the device [registration] process and are used to validate the device state during PRT requests.

The PRT is issued during user authentication on a Windows 10 device in two scenarios:
* Azure AD joined or Hybrid Azure AD joined: A PRT is issued during [Windows Logon] when a user signs in with their organization [credentials]. A PRT is issued with all Windows 10 supported credentials, for example, [password] and [Windows Hello] for Business. In this scenario, Azure AD CloudAP plugin is the primary authority for the PRT.
* Azure AD registered device: A PRT is issued when a user adds a secondary work account to their Windows 10 device. Users can add an account to Windows 10 in two different ways -
** Adding an account via the Use this account everywhere on this device prompt after signing in to an app (for example, Outlook)
** Adding an account from Settings &gt; Accounts &gt; Access Work or School &gt; Connect
In Azure AD registered device scenarios, the Azure AD WAM plugin is the primary authority for the PRT since Windows logon is not happening with this Azure AD account.

!Note
[Third-party Identity Providers] need to support the [WS-Trust] [protocol] to enable PRT issuance on Windows 10 devices. Without WS-Trust, PRT cannot be issued to users on Hybrid Azure AD joined or Azure AD joined devices. 
On [ADFS] only username mixed endpoints are required. Both adfs/services/trust/2005/windowstransport and adfs/services/trust/13/windowstransport should be enabled as [intranet] facing [endpoints] only and [MUST NOT] be exposed as [Extranet] facing endpoints through the Web Application Proxy

!! What is the [lifetime] of a PRT?
Once issued, a [PRT] is valid for 14 [days] and is continuously renewed as long as the user actively uses the [device].

!! Keep in Mind
A [{$pagename}] is only issued and renewed during [Native application] [authentication]. A [{$pagename}] is not renewed or issued during a [browser] session.

In Azure AD joined and hybrid Azure AD joined devices, the CloudAP plugin is the primary authority for a PRT. If a PRT is renewed during a [WAM]-based token request, the PRT is sent back to CloudAP plugin, which verifies the validity of the PRT with [Azure] AD before accepting it.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [What is a Primary Refresh Token?|https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token|target='_blank'] - based on information obtained 2020-11-26 


</pre>