PRT refresh during windows signin

Question

Hello,

We all know that Microsoft Entra CloudAP plugin renews the PRT every 4 hours during Windows sign in. If the user doesn't have internet connection during that time, CloudAP plugin will renew the PRT after the device is connected to the internet.

What is the exact definition of windows sign in ?

When you just unlock the locked windows box, is it called windows signin event ?

OR

Only on the rebooted device when user signs in is called windows signin event ?

OR

Both

Thanks.

Answer 1

Hello,

Thank you for posting in Q&A forum.

The term "Windows sign-in" generally refers to the process of entering credentials (username and password, PIN, or biometric data) to access a Windows account on a device. This may happen in the following situations:

1. When starting or restarting the device: This is the most common situation for Windows login. Once your device boots up, you'll need to enter your credentials to access your account.
2. When unlocking your device: If your account is locked (either manually by you or automatically due to inactivity), you will need to log in again to unlock it.
3. When switching users: If you switch from one account to another on the same device, this is also considered a login event.

So what you said about unlocking the locked login box and restarting the device are considered Windows login events.

For Windows sign-in options, please refer to the following link: Windows sign-in options and account protection - Microsoft Support

I hope the information above is helpful.

Best Regards,

Yanhong Liu

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Thanks @Yanhong Liu for your accurate answer.

The reason I asked this is because the PRT refresh every 4 hours is NOT FULLY APPLICABLE to LOCKED DEVICE

You lock your AAD-joined device D1Now if you change your AAD password using some different device then new password will work to unlock the device D1. It does not matter if you are unlocking with new password within 4 hours or after 4 hours. This is fine.However, the old password will also work even if your device is in locked state for more than 4 hours

Old password should NOT work after 4 hours of lock time. Because this tells that PRT refresh DID NOT kick off by cloudAP

Answer 3

@testuser7

Old password should NOT work after 4 hours of lock time. Because this tells that PRT refresh DID NOT kick off by cloudAP

Password change: If a user obtained the PRT with their password, the PRT is invalidated by Microsoft Entra ID when the user changes their password. Password change results in the user getting a new PRT. This invalidation can happen in two different ways:

• If user signs in to Windows with their new password, CloudAP discards the old PRT and requests Microsoft Entra ID to issue a new PRT with their new password. If user doesn't have an internet connection, the new password can't be validated, Windows might require the user to enter their old password.
• If a user has logged in with their old password or changed their password after signing in to Windows, the old PRT is used for any WAM-based token requests. In this scenario, the user is prompted to reauthenticate during the WAM token request and a new PRT is issued.

If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

Thanks,

Akshay Kaushik