HomeNewsletterCommunityToolsArchiveBlogToday's NewsAboutQuick Links Subscribe free
← Back to Blog
Entra ID Entra IDAuthenticationZero TrustSingle Sign-OnTPMWindows Hello for BusinessConditional Access

The Primary Refresh Token (PRT): How Entra ID SSO Actually Works Under the Hood

IA
Imran Awan
7 July 2026

What Even Is a PRT?

Every time a user opens Outlook, Teams, or SharePoint on a Windows device and gets signed in silently — no password prompt, no MFA challenge — the Primary Refresh Token (PRT) is doing the work. It is the centrepiece of Microsoft's SSO architecture for Entra ID, and most admins have no idea what is actually inside it.

Here is the blunt answer: you cannot see its contents. The PRT is an opaque blob issued exclusively to Microsoft's first-party token brokers. It is not a JWT you can paste into jwt.io. What matters is understanding the mechanism behind it — because when SSO breaks, that mechanism is where you need to look.

The Two Types of PRT

Not all PRTs are equal. There are two distinct types, and which one a device gets depends on whether it has an Entra ID identity at all.

Type Device State Key Binding Primary Authority
Registered device PRT Entra joined or Hybrid joined Device key pair (dkpub/dkpriv) CloudAP plugin
Unregistered device PRT Entra registered only On-device crypto key pair WAM plugin

The PRT itself is valid for 90 days and is continuously renewed while the device is in active use. In practice, you will never see an expired PRT on a device that is used daily — renewal happens automatically every 4 hours via CloudAP, and WAM also triggers renewal during app token requests.

The Key Pairs: What Gets Generated at Registration

When a Windows device registers with Entra ID, two cryptographic key pairs are generated. Understanding these is non-negotiable for understanding PRT security.

Device key (dk):

Transport key (tk):

The device key signs authentication requests, proving the request came from this specific device. The transport key's only job is protecting the session key — which is where the real security model lives.

The Session Key: The Most Important Concept in PRT Security

When Entra ID issues a PRT, it also issues an encrypted session key. This is not a separate artefact you store somewhere — it is embedded inside the PRT itself.

Here is what happens, step by step:

  1. Entra ID generates the session key and encrypts it with tkpub — the transport key's public half that was uploaded at device registration.
  2. Only tkpriv, locked inside the TPM, can decrypt it.
  3. CloudAP passes the encrypted session key to the TPM. The TPM decrypts it using tkpriv, then immediately re-encrypts it with the TPM's own internal key.
  4. The re-encrypted session key is stored in CloudAP's cache. At no point does the plaintext session key exist in addressable memory.

Every subsequent request — every app token request, every PRT renewal, every browser SSO cookie — must be signed with this session key. Entra ID validates that signature on every single request against the session key it embedded in the PRT.

⚠ Security Warning — Devices Without TPM

With TPM 2.0, dkpriv and tkpriv are TPM-bound — they cannot be extracted from the device under any circumstances. Session key decryption requires TPM hardware. Without a TPM, keys are stored in software and are extractable. Stealing a PRT from a TPM-less device is viable: the session key can be reconstructed in software, allowing an attacker to forge valid signed requests. TPM 1.2 was deprecated after Windows 10 1903. If you still have devices without TPM 2.0, PRT theft is a real risk. Check TpmProtected: YES in dsregcmd /status — if it says NO, those devices have weakened PRT security.

PRT Issuance Flow: First Sign-In on an Entra Joined Device

Here is the exact sequence of events when a user signs into a freshly Entra-joined Windows device for the first time.

PRT Issuance — First Sign-In Flow
A
User enters password → LogonUILSACloudAPCloudAP plugin
Credential passed down the authentication stack
B
CloudAP plugin performs realm discovery
Is the user's domain managed or federated?
C
If managed: get nonce from Entra ID   If federated: get SAML token from federation provider
The nonce prevents replay attacks on the auth request
D
CloudAP plugin builds auth request, signs it with dkpriv, sends to Entra ID
The device signature proves this request originated from a known, registered device
E
Entra ID validates credentials + device signature → issues encrypted PRT + session key encrypted with tkpub
Only the device's TPM can decrypt the session key
F
TPM decrypts session key using tkpriv → re-encrypts with TPM's own key → cached by CloudAP
Session key never exists in plaintext in addressable memory

How Browser SSO Works

This is the mechanism behind that magical moment when you open a browser, navigate to portal.microsoft.com, and find yourself already signed in.

  1. The browser loads a list of allowed Entra sign-in URLs from the registry.
  2. When it hits an Entra sign-in URL, it calls a native client host.
  3. The native client host asks the CloudAP plugin for a PRT cookie.
  4. CloudAP signs the PRT cookie using the TPM-bound session key.
  5. The browser sends the cookie in the x-ms-RefreshTokenCredential request header.
  6. Entra ID validates the session key signature and issues a session cookie.

The session cookie is bound to the same session and device key. If an attacker intercepts the x-ms-RefreshTokenCredential header and tries to replay it from a different device, Entra ID rejects it — the session key signature will not validate without the TPM.

MFA Claims and Windows Hello for Business

The PRT carries MFA claims, and how those claims get in matters for Conditional Access.

With Windows Hello for Business, the MFA claim is granted at every PRT renewal. WHfB satisfies MFA by definition — the biometric or PIN unlock is a cryptographic operation against a TPM-bound key. Because PRT renewals happen every 4 hours, the MFA claim is continuously refreshed. Users with WHfB never hit an MFA re-prompt for Microsoft 365 apps.

With interactive MFA through WAM, the claim is granted once and persists based on the directory's token lifetime policies. It does not renew automatically with each PRT renewal.

PRTs are also partitioned by credential type. A user who has both a password and WHfB gets separate PRTs — one per credential. Each carries its own claims based on how the authentication was performed.

ℹ Conditional Access — When Policies Are Actually Evaluated

Conditional Access policies are not evaluated when a PRT is issued or renewed. They are only evaluated when an app requests an access token. The PRT carries device compliance and MFA claims, and WAM presents those claims to Entra ID when requesting app tokens. Entra ID evaluates the CA policy at that moment. This means a device can have a perfectly valid PRT and still fail to get an access token if CA requirements are not met at token request time.

How App Tokens Work — WAM Behaviour

Apps on Windows do not get direct access to the PRT. WAM (Web Account Manager) sits in the middle, and this is intentional.

When an app needs an access token:

  1. WAM checks its cache. If a valid refresh token for that app exists, WAM uses it — signing the request with the session key — to get a new access token.
  2. If no refresh token exists, WAM uses the PRT directly to acquire both an access token and a new refresh token for that app.
  3. The app gets the access token only. Refresh tokens are stored in WAM's cache, encrypted by DPAPI.

Apps never see or store refresh tokens themselves. This is why token theft from application storage is significantly harder on Windows than on platforms without WAM.

Checking PRT Status with dsregcmd

The single most useful command for PRT troubleshooting is dsregcmd /status. Run it as the user whose PRT you want to inspect — not as admin.

CMD / Terminal — dsregcmd /status output
+----------------------------------------------------------------------+
| SSO State                                                            |
+----------------------------------------------------------------------+

         AzureAdPrt : YES
AzureAdPrtUpdateTime : 2026-07-07 08:14:33.000 UTC
AzureAdPrtExpiryTime : 2026-10-05 08:14:33.000 UTC
   DeviceAuthStatus : 0x0

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+

       AzureAdJoined : YES
      EnterpriseJoined : NO
          DomainJoined : YES
        DomainName : CONTOSO
        TpmProtected : YES
         DeviceId : 4a7b3c2d-1e8f-4a6b-9c0d-2e3f4a5b6c7d
      Thumbprint : 3A4B5C6D7E8F9A0B1C2D3E4F5A6B7C8D9E0F1A2B
✓ Quick Diagnostic Tip — dsregcmd Fields to Check First

Always check these four fields in order: AzureAdPrt (does a PRT exist?), TpmProtected (is it TPM-bound?), DeviceAuthStatus (0x0 = no error; anything else = device key problem), and AzureAdPrtExpiryTime (when does it expire, and has it been renewing?). If AzureAdPrt is YES but SSO is broken, the session key is almost always the culprit — device re-registration without a proper cleanup leaves a stale PRT with a mismatched session key.

Get-PRTStatus.ps1
# Run as the signed-in user (not as admin) to get that user's PRT state
$output = & "$env:SystemRoot\System32\dsregcmd.exe" /status
$fields = @('AzureAdPrt', 'AzureAdPrtUpdateTime', 'AzureAdPrtExpiryTime',
             'DeviceAuthStatus', 'TpmProtected', 'AzureAdJoined')
$result = [ordered]@{}
foreach ($field in $fields) {
    $line = $output | Select-String "^\s*$field\s*:"
    if ($line) {
        $result[$field] = ($line.Line -split ':\s*', 2)[1].Trim()
    }
}
[PSCustomObject]$result
if ($result['AzureAdPrt'] -ne 'YES') {
    Write-Warning "No PRT found for current user. Check Entra join status and licensing."
}
if ($result['TpmProtected'] -ne 'YES') {
    Write-Warning "PRT is NOT TPM-protected. Keys are software-bound and extractable."
}

Checking TPM and Virtualisation-Based Security Status

Check-TPMAndVBS.ps1
# Check Virtualisation-Based Security status
# 0 = Disabled  |  1 = Enabled, not running  |  2 = Running
$vbs = (Get-CimInstance -ClassName Win32_DeviceGuard `
         -Namespace 'root\Microsoft\Windows\DeviceGuard').VirtualizationBasedSecurityStatus
Write-Host "VBS Status: $vbs" -ForegroundColor (if ($vbs -eq 2) { 'Green' } else { 'Red' })

$tpm = Get-CimInstance -ClassName Win32_Tpm `
         -Namespace 'root\CIMv2\Security\MicrosoftTpm' -ErrorAction SilentlyContinue
if ($null -eq $tpm) {
    Write-Warning "No TPM found. PRT private keys will be software-bound."
} else {
    Write-Host "TPM Version : $($tpm.SpecVersion)"
    Write-Host "TPM Enabled : $($tpm.IsEnabled_InitialValue)"
    Write-Host "TPM Activated: $($tpm.IsActivated_InitialValue)"
}

Reading PRT Events from the AAD Event Log

When you need to see exactly when a PRT was issued, renewed, or why it failed, the AAD operational log is your source.

📄 Event Viewer — Applications and Services Logs\Microsoft\Windows\AAD\Operational
LevelEvent IDTask CategoryDate/Time
● Information1098CloudAP: PRT successfully acquired for user contoso\jdoe07/07/2026 08:14
⚠ Warning1081CloudAP: PRT renewal attempt — session key mismatch07/06/2026 16:42
● Information1098CloudAP: PRT renewed — next renewal in 4 hours07/06/2026 12:14
✗ Error1098CloudAP: Failed to get PRT — DeviceAuthStatus: 0x1 (device key validation failed)07/05/2026 09:03
Get-AADPRTEvents.ps1
# Requires admin rights to read the AAD Operational log
$logName = 'Microsoft-Windows-AAD/Operational'
$events = Get-WinEvent -LogName $logName -MaxEvents 200 -ErrorAction SilentlyContinue |
           Where-Object { $_.Id -eq 1098 } |
           Select-Object TimeCreated, LevelDisplayName, Message -First 50
if ($null -eq $events) {
    Write-Warning "No events found. Enable with: wevtutil sl Microsoft-Windows-AAD/Operational /e:true"
} else {
    $events | Format-List
}

PRT Invalidation — When a PRT Stops Working

Trigger What happens Remediation
User deleted or disabled in Entra ID PRT rejected at next use Re-enable account
Device deleted or disabled in Entra ID Device key validation fails (DeviceAuthStatus: 0x1) Re-join device or re-register
Password change CloudAP discards old PRT, requests new one automatically Usually self-resolving; user may need to sign in once
TPM failure or replacement Keys lost — PRT unusable Windows initiates device re-registration recovery flow

Common Issues and Their Root Causes

AzureAdPrt: NO

The device has no PRT. Most common causes: the device is not Entra joined at all, the user account is not licensed, or there is a federation issue preventing the initial auth request from completing. Check AzureAdJoined: YES first. If the device is joined but the PRT is still missing, look at the AAD Operational log for errors around Event ID 1098.

DeviceAuthStatus: 0x1

Device key validation failed. This almost always means the device was deleted from Entra ID and re-registered, but the old PRT was not cleared. The PRT on the device references a device key that no longer exists in Entra ID. Unjoin and rejoin the device to generate fresh keys.

PRT Present but SSO Not Working

The device has a valid PRT, but apps still prompt for credentials. The most likely culprit is a session key mismatch — the session key embedded in the PRT does not match what the TPM can produce. This happens after a device re-registration where the TPM generated new keys but the old PRT was not replaced. Force a new PRT by running dsregcmd /leave followed by dsregcmd /join, or by signing out and back in.

⚠ Gotcha — Hybrid Joined PRT Issuance Is Asynchronous

On Hybrid Entra joined devices, PRT issuance does not happen during the interactive sign-in. It happens in the background after the sign-in completes. This means a user can successfully log into Windows — because domain authentication works — without yet having a PRT. If that user immediately opens a Microsoft 365 app, SSO may fail on the first attempt. The PRT arrives within minutes under normal conditions, but in slow network environments or at first login, there is a race condition. If users report SSO failures only at first sign-in after a reimage or new device setup, this async behaviour is usually the cause.

Non-Microsoft Credential Providers

Third-party credential providers are not supported for PRT issuance or renewal. CloudAP only processes credentials from Microsoft's own credential providers. If you are deploying third-party credential providers, verify that Windows Hello for Business or standard Microsoft password/PIN providers remain available and are used for at least one sign-in session to establish the PRT.

ADFS and Hybrid Renewal — No VPN Required

PRT renewal for ADFS-federated users does not require VPN or direct line-of-sight to a domain controller. Renewal only needs access to two ADFS endpoints:

These endpoints are accessible over the internet via the Web Application Proxy. PRT renewal for remote users works without any VPN infrastructure — worth noting when justifying the removal of always-on VPN in hybrid configurations.

Device Registration Key Visualisation

Entra Admin Centre — Device Detail View (Conceptual)
Cryptographic Keys Registered with Entra ID
Device Key — Public (dkpub)
Stored in Entra ID against device object. Used to verify device-signed auth requests.
Stored in Cloud
RSA-2048 | Thumbprint: 3A:4B:5C:6D:7E:8F:9A:0B…
Transport Key — Public (tkpub)
Stored in Entra ID. Used only to encrypt the session key when issuing a PRT.
Stored in Cloud
Device Key Private (dkpriv) & Transport Key Private (tkpriv)
Secured in TPM 2.0. Never leave the device. No export possible.
TPM-bound on device
Not accessible | TpmProtected: YES

What Stealing a PRT Actually Gets You

On a TPM-equipped device: nothing useful. Every request made with the PRT must be signed with the session key, and the session key is re-encrypted by the TPM using its own internal key. You cannot produce a valid session key signature without the TPM. An attacker who extracts the PRT blob from memory has a token they cannot use.

On a device without TPM: full account compromise. The keys are stored in software. The session key can be reconstructed. An attacker with the PRT blob and the session key material can forge signed requests and achieve SSO for every Microsoft 365 service the user has access to, from any machine, for up to 90 days.

This is why TPM 2.0 is non-negotiable in a Zero Trust device posture. The device compliance claim in your Conditional Access policies is worth far less without the cryptographic binding the TPM provides.

Conditional Access and the PRT — The Exact Interaction

The device compliance claim and MFA claim that your CA policies rely on come from the PRT. When a user signs in and the PRT is issued, CA policies are not evaluated. The PRT accumulates claims — device compliance status, MFA from WHfB or interactive MFA, registered device status. When WAM subsequently requests an access token for an app, Entra ID evaluates the CA policy at that moment against the claims in the PRT.

This is the mechanism behind seamless CA enforcement on managed devices: the user gets access tokens silently because the TPM-bound PRT carries the claims that satisfy the policy, and WAM handles the token exchange entirely in the background.

References

Share this post
LinkedIn X / Twitter Reddit Bluesky

More from EndpointWeekly

Entra ID
Entra Conditional Access: WHfB Enforcement Deadline July 2026
Microsoft's July 2026 deadline for phishing-resistant MFA enforcement is approaching.…
Entra ID
Microsoft Entra ID Complete Overview: Identity, SSO, Conditional…
The complete foundational guide to Microsoft Entra ID — what it is, how authentication…
Entra ID
PRT Not Working + Local Admin Missing on Entra Joined Device
Primary Refresh Token broken means no SSO to Microsoft 365. Local admin not applying…