Az - Primary Refresh Token (PRT)

👉 Overview

👀 What ?

The Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on modern Windows devices. It's a multi-factor authenticated, device-bound token, and it's issued by Azure AD.

🧐 Why ?

The PRT is important because it is used to obtain access tokens for resources, such as the user’s mailbox, Azure Management API, etc. If an attacker gets hold of this token, they can potentially access sensitive resources. Therefore, understanding the PRT is essential for both securing and troubleshooting Azure AD.

⛏️ How ?

PRT can be used to maintain persistent access to resources. When a user signs into a device using an organizational account, a PRT is issued. This token is then used to acquire access tokens for resources. To secure it, you should ensure secure logins and use tools like Azure AD Connect Health.

⏳ When ?

The use of PRT started with the introduction of modern authentication protocols in Azure AD. It's especially prevalent in cases where seamless single sign-on (SSO) experiences are needed.

⚙️ Technical Explanations

PRT is a JWT token stored encrypted on a device and is tied to the device as well as the user who authenticated. It is used in combination with the device ID to acquire access tokens for resources. PRT is issued at the time of user sign-in and it can be renewed as long as the user's session remains valid. It's a core component of the seamless SSO experience in Azure AD as it helps maintain session persistence across different resources.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.