PRT renewal

Question

PRT renewal

testuser7 286

I have one quick binary question about PRT Renewal.

It is very well documented as shown in attached diagram that when any app requests access-token from WAM and if WAM uses existing PRT, AAD can get access-token along with new PRT (based on refresh-cycle)

My question is , can WAM do this work periodically for any client-app WITHOUT BEING INITIATED by client-app ??

Meaning will WAM sense out that it is the time to get new access-token ready even though client-app has not requested ?

User's image

Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-09-04T16:46:16.6566667+00:00

@testuser7

Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer(Yes)" and "share you feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

1 answer

Your answer

Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-09-04T16:46:16.6566667+00:00

@testuser7

Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer(Yes)" and "share you feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Answer 1

Akshay-MSFT 17,961 Microsoft Employee Moderator

@testuser7

Thank you for posting your query on Microsoft Q&A, from above description I could understand that you wanted to know, if WAM plugin will request a new access token at the threshold time without app requesting it (just like refresh token)?

The answer to this would be "NO", WAM would not authorize to renew PRT to get access token until requested by the application:

The WAM plugin can renew the PRT during these token requests in two different ways:

An app requests WAM for an access token silently but there’s no refresh token available for that app. In this case, WAM uses the PRT to request a token for the app and gets back a new PRT in the response.
An app requests WAM for an access token but the PRT is invalid or Azure AD requires extra authorization (for example, Azure AD Multifactor Authentication). In this scenario, WAM initiates an interactive logon requiring the user to reauthenticate or provide extra verification and a new PRT is issued on successful authentication.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

testuser7 286 Reputation points

2023-09-06T13:54:34.26+00:00

Excellent @Akshay Kaushik That helps.

One thing on that note,

As we know device gets a new PRT when user unlocks the device after more than 4 hours of lock time. When such refresh of PRT happens, would the new PRT will have all the authentication-methods that user has validated and stored in exiting PRT ???

And my second Q. is,

Would device keep two separate PRTs for two different signs methods used to unlock the device ??

So for eg., I use username-password to unlock my AAD-join win10 device. After few hours I reboot and this time I use my Fingerprint (windows-hello) to unlock the same device. I believe this time physically a new PRT is obtained and in play with different refresh cycle.

Thanks.
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-09-06T14:27:59.7066667+00:00

@testuser7

Once issued, a PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device. The CloudAP plugin renews the PRT every 4 hours during Windows sign in. If the user doesn't have internet connection during that time, CloudAP plugin will renew the PRT after the device is connected to the internet.

Only during first sign in, a PRT is issued by signing requests using the device key cryptographically generated during device registration.

Regardless if user login with UPN and password or Windows hello, the PRT will keep renewing and not issued again until expired.

Thanks,

Akshay Kaushik

Since your primary query on this post has been answered I would request you to "Accept the answer" (Yes), and share your feedback. This will help us and others in the community as well.
testuser7 286 Reputation points

2023-09-06T14:47:17.4466667+00:00

@Akshay Kaushik your last explanation is confusing me. My question was very binary. Would my device have 2 different PRTs one when I used password and one when I used fingerprint ??

you also said, the PRT will keep renewing and not issued again until expired. What do you mean ? Isn't Renewing same as Issuing ??
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-09-06T15:37:13.8333333+00:00

My question was very binary. Would my device have 2 different PRTs one when I used password and one when I used fingerprint ?? No, device will not have 2 PRT. For token renewal process kindly follow PRT renewal during subsequent logon. Thanks, Akshay Kaushik. Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.
testuser7 286 Reputation points

2023-09-06T16:30:29.7833333+00:00

Got it @Akshay-MSFT ...so let me confirm and solidify what you are saying.

The same user , can keep changing the method use to sign into the win10 device. Today he uses password, next day Windows-hello, then following day he might use FIDO2 Yubikey.

But this will NOT create more than one PRT in this device for him. There is always a SINGLE PRT in the device and this PRT will keep refreshed based on the refresh-cycle which is 4 hours.

Am I right so far ???
testuser7 286 Reputation points

2023-09-07T11:52:12.9633333+00:00

Hi @Akshay-MSFT As you have been very prompt in helping and reply, hope I did not confuse you by my query nor you found it boring.

Thanks.
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-09-07T12:22:41.6+00:00
@testuser7

Thanks for your time and patience, I missed the previous comment though. PFB answer to your queries:

The same user , can keep changing the method use to sign into the win10 device. Today he uses password, next day Windows-hello, then following day he might use FIDO2 Yubikey.

Yes, for Azure AD joined or Hybrid Azure AD joined: A PRT is issued with all Windows 10 or newer supported credentials, for example, password and Windows Hello for Business. In this scenario, Azure AD CloudAP plugin is the primary authority for the PRT.

But this will NOT create more than one PRT in this device for him. There is always a SINGLE PRT in the device and this PRT will keep refreshed based on the refresh-cycle which is 4 hours.

Yes, device would hold only one PRT.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.
testuser7 286 Reputation points

2023-09-07T15:17:23+00:00

Thanks @Akshay-MSFT for your confirmation !!! It is always nice to talk with right persons.

I have one follow up question and that is about "Expiry of PRT"

When we hit dsregcmd /status we see that PRT's AzureAdPrtExpiryTime which is exactly 14 days from the last update time.

Is this 14 day duration accurate ? Meaning, if I do not refresh my PRT then after 14 days it will expire and on 15th day I can NOT use this PRT to get token for any app.

Is the above statement true especially when the Sign-in-Frequency configured in CA-policy is greater then 14 days.

In other words "PRT-expiry configuration" will override "Sign-in-Frequency configuration" ??
testuser7 286 Reputation points

2023-09-08T15:01:38.5666667+00:00

@Akshay-MSFT Interesting point. Isn't it ??

If you find answer, please let me know. I trying other ways too.
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-09-18T04:25:49.82+00:00

@testuser7 ,

I would recommend to raise a different thread with different queries, since primary query on this thread has been responded, it may cause confusion to the rest of community members who may have similar doubt. Also, please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Share via

PRT renewal

1 answer

Your answer