Share via

will PRT get update when RT is updated by Entra-id

testuser7 286 Reputation points
2025-05-27T12:07:47.1633333+00:00

Hello

I have a question around entra-id, windows11, WAM, PRT (primary-refresh-token) and RT (refresh-token)

My understanding is WAM stores and updates two different physical tokens for a user i.e., PRT and RT

Let's say user1@tenant1 unlocks the device with password. PRT settles in the device which will be stamped with password

user1 opens one installed app1 representing client-id1 which asks WAM to get access-token (AT) Since there is no RT for user1-clientid1 , WAM will user PRT and get RT1 and AT1 from Entra

Now user1 while working on app1 asks WAM to get AT2 where audience= resource R2

As WAM has RT for this user-client combo, it will send RT1 to get AT2 from Entra

Since R2 was enforcing FIDO2, user will complete FIDO authentication. Entra will send new RT with fido stamped in it along with AT2

My question is will this transaction with Entra also updates the PRT so that PRT also has FIDO in it ??

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jose Benjamin Solis Nolasco 3,511 Reputation points
    2025-05-27T12:19:42.9233333+00:00

    @testuser7 I hope you are doing well, responding to your question below;

    "My question is will this transaction with Entra also updates the PRT so that PRT also has FIDO in it ??

    • The PRT is not updated simply because a refresh token exchange occurred with FIDO2 enforcement for an individual resource. The PRT is tied to the device and initial authentication method.
    • When a user authenticates with FIDO2 for a specific app/resource during a token refresh, that credential is only applied to the RT/token issued for that client/resource.

    The PRT is only updated (re-stamped with new claims like FIDO2 or MFA) if:

    • The user re-authenticates in a context that results in issuance of a new PRT (e.g., sign-out and sign-in again, or system-initiated PRT refresh with stronger auth).
    • The Entra Conditional Access policies or Token Protection policies require PRT refresh with new auth methods.

    Please read this documentation that further details about why PRT is not update simply because a refresh token exchange.

    See https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token

    https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-primary-refresh-token

    😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

    0 comments
  2. testuser7 286 Reputation points
    2025-05-27T15:24:12.36+00:00

    thanks @Jose Benjamin Solis Nolasco for your prompt response. But did you try to practically check it out. I will be surprised by your findings. Try doing following

    user1@tenant1 unlocks the device with password. PRT settles in the device which will be stamped with password

    user1 opens one installed app1 representing client-id1 which asks WAM to get access-token (AT) Since there is no RT for user1-clientid1 , WAM will use PRT and get RT1 and AT1 from Entra. Now user1 while working on app1 asks WAM to get AT2 where audience= resource R2 As WAM has RT for this user-client combo, it will send RT1 to get AT2 from Entra Since R2 was enforcing FIDO2, user will complete FIDO authentication. Entra will send new RT with fido stamped in it along with AT

    Now the moment of truth.

    user1 opens other installed app2 and requesting AT for same audience= resource R2 No challenge happens. Remember there was NO RT for user1-app2 combination.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.