How could a win10 device with Hybrid AAD joined while using Yubikey to login can sso M365 resource.

Charlie 0 Reputation points
2023-09-14T06:30:21.07+00:00

Hello, 

Could you please help. 

A win10 device with Hybrid AAD join. After logging in using Yubikey, when did it get the PRT and then be able to SSO M365 resources? Is it necessary to log in with an account and password to obtain PRT? The following is my understanding of the Yubikey login process. There was no interaction with the AAD during this process, so it is unclear when the PRT was obtained.  What i think the authentication flow use Yubikey as below:

  1. Insert Yubikey into the terminal, enter PIN, and touch Yubikey. 

(2) YubiOn cloud communication is performed to verify the authentication. 

(3) If the authentication is OK, the password information is passed to Windows authentication. 

The Windows password is manually entered by the user for the first time, and encrypted and saved information is used for the second and subsequent times. 

  1. Authentication is performed by Windows using the password (authentication is performed here by communicating with AD) This is not FIDO 

(5) If the authentication by AD is successful, the user is logged on. 

Thanks in advance. 

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,592 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,779 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Fabio Andrade 1,660 Reputation points Microsoft Employee
    2023-09-14T22:45:10.5133333+00:00

    Hi @Charlie

    With a Hybrid Azure AD Joined client, it's recommended to enable SSO to on-premises resources as per this document - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises

    With that enabled, the authentication flow occurs as following resulting on the user getting a TGT and a PRT:

    1. A user signs in to a Windows 10 device with an FIDO2 security key and authenticates to Azure AD.
    2. Azure AD checks the directory for a Kerberos Server key that matches the user's on-premises Active Directory domain.

    Azure AD generates a Kerberos TGT for the user's on-premises Active Directory domain. The TGT includes the user's SID only, and no authorization data.

    1. The TGT is returned to the client along with the user's Azure AD Primary Refresh Token (PRT).
    2. The client machine contacts an on-premises Active Directory Domain Controller and trades the partial TGT for a fully formed TGT.
    3. The client machine now has an Azure AD PRT and a full Active Directory TGT and can access both cloud and on-premises resources.

    Let me know if you have further questions.


  2. Fabio Andrade 1,660 Reputation points Microsoft Employee
    2023-10-12T22:11:16.3133333+00:00

    Hi @Charlie

    I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments No comments

  3. Fabio Andrade 1,660 Reputation points Microsoft Employee
    2023-10-17T21:07:49.6566667+00:00

    Hi @Charlie

    I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.