How could a win10 device with Hybrid AAD joined while using Yubikey to login can sso M365 resource.

Charlie 0 Reputation points
2023-09-14T06:30:21.07+00:00

Hello, 

Could you please help. 

A win10 device with Hybrid AAD join. After logging in using Yubikey, when did it get the PRT and then be able to SSO M365 resources? Is it necessary to log in with an account and password to obtain PRT? The following is my understanding of the Yubikey login process. There was no interaction with the AAD during this process, so it is unclear when the PRT was obtained.  What i think the authentication flow use Yubikey as below:

  1. Insert Yubikey into the terminal, enter PIN, and touch Yubikey. 

(2) YubiOn cloud communication is performed to verify the authentication. 

(3) If the authentication is OK, the password information is passed to Windows authentication. 

The Windows password is manually entered by the user for the first time, and encrypted and saved information is used for the second and subsequent times. 

  1. Authentication is performed by Windows using the password (authentication is performed here by communicating with AD) This is not FIDO 

(5) If the authentication by AD is successful, the user is logged on. 

Thanks in advance. 

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
16,694 questions
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
8,918 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fabio Andrade 0 Reputation points Microsoft Employee
    2023-09-14T22:45:10.5133333+00:00

    Hi @Charlie

    With a Hybrid Azure AD Joined client, it's recommended to enable SSO to on-premises resources as per this document - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises

    With that enabled, the authentication flow occurs as following resulting on the user getting a TGT and a PRT:

    1. A user signs in to a Windows 10 device with an FIDO2 security key and authenticates to Azure AD.
    2. Azure AD checks the directory for a Kerberos Server key that matches the user's on-premises Active Directory domain.

    Azure AD generates a Kerberos TGT for the user's on-premises Active Directory domain. The TGT includes the user's SID only, and no authorization data.

    1. The TGT is returned to the client along with the user's Azure AD Primary Refresh Token (PRT).
    2. The client machine contacts an on-premises Active Directory Domain Controller and trades the partial TGT for a fully formed TGT.
    3. The client machine now has an Azure AD PRT and a full Active Directory TGT and can access both cloud and on-premises resources.

    Let me know if you have further questions.