With a Hybrid Azure AD Joined client, it's recommended to enable SSO to on-premises resources as per this document - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises
With that enabled, the authentication flow occurs as following resulting on the user getting a TGT and a PRT:
- A user signs in to a Windows 10 device with an FIDO2 security key and authenticates to Azure AD.
- Azure AD checks the directory for a Kerberos Server key that matches the user's on-premises Active Directory domain.
Azure AD generates a Kerberos TGT for the user's on-premises Active Directory domain. The TGT includes the user's SID only, and no authorization data.
- The TGT is returned to the client along with the user's Azure AD Primary Refresh Token (PRT).
- The client machine contacts an on-premises Active Directory Domain Controller and trades the partial TGT for a fully formed TGT.
- The client machine now has an Azure AD PRT and a full Active Directory TGT and can access both cloud and on-premises resources.
Let me know if you have further questions.