The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Active Directory!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
Bind Refresh Tokens To Device using Windows OnBoard Tools RRS feed

  • Question

  • Hi all,

    I am new using this forum. I'd like to talk about refresh tokens one more time.  It is clear that these tokens have to be stored securely.

    One  scenario we would like to prevent is, that when a device stores a refresh token and the device backup is stored in the cloud, an attacker could read from the token store in the case he was able to steal the backup

    To avoid such a scenario, a solution could be to bind the token to the device on which it is stored, right?

    Short time ago somebody told me that there is a MS Windows 10 onboard solution to bind tokens to a device. Unfortunately  he is not available anymore.

    Is anybody aware of such an onboard solution to bind tokens to a device?

    Thanks and kind regards,

    Seb

    Monday, November 11, 2019 8:39 AM

Answers

  • Hi Seb,

    It is the Primary Refresh Token (PRT) that binds to a device as it contains Device ID and Session Key. PRT is issued to a device when it is:

    • Azure AD Joined
    • Hybrid Azure AD Joined
    • Azure AD Registered

    PRT is valid for 14 days and is renewed every 4 hrs as long as the user is actively working on the device. PRT gets invalidated in below scenarios:

    • Invalid user
    • Invalid device
    • Password change
    • TPM Issues

    For more details, please refer to https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token. This document also includes detailed flow in below scenarios:

    • PRT issuance during first sign in
    • PRT renewal in subsequent logons
    • PRT usage during app token requests
    • Browser SSO using PRT

    Hope this would help.

    --------------------------------------------------------------------------------------------------------------------

    Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

    Tuesday, November 12, 2019 4:01 AM

All replies

  • Hi Seb,

    It is the Primary Refresh Token (PRT) that binds to a device as it contains Device ID and Session Key. PRT is issued to a device when it is:

    • Azure AD Joined
    • Hybrid Azure AD Joined
    • Azure AD Registered

    PRT is valid for 14 days and is renewed every 4 hrs as long as the user is actively working on the device. PRT gets invalidated in below scenarios:

    • Invalid user
    • Invalid device
    • Password change
    • TPM Issues

    For more details, please refer to https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token. This document also includes detailed flow in below scenarios:

    • PRT issuance during first sign in
    • PRT renewal in subsequent logons
    • PRT usage during app token requests
    • Browser SSO using PRT

    Hope this would help.

    --------------------------------------------------------------------------------------------------------------------

    Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

    Tuesday, November 12, 2019 4:01 AM
  • seb1163

    I wanted to check with you if the above response helped in answering your query. If yes, I would request you to please mark the response as "Answer" by selecting the option "Mark as answer", so that it helps others visiting the forum with similar queries.

    Wednesday, November 13, 2019 6:33 AM
  • Hi @seb1163

    This is to follow up on this thread if the above response was helpful. Please let me know if you have any further questions.

    Please "mark as answer" or "vote as helpful" if the information provided helps you to help others in the community.

    Thank you!

    Friday, November 15, 2019 8:39 AM
  • Please let us know if you were able to resolve the issue from the replies before. If you still have more questions please let us know with some additional information regarding your question and we'll try to resolve it. It may require additional support escalation if we are unable to resolve this on this msdn thread. 

    If there's no more follow ups in regards to this, I will be marking an answer as answer. If you feel your question has not been answered please let us know anymore pending asks and we can try to follow up accordingly. 

    thanks,

    - Frank H.

    Tuesday, November 26, 2019 8:07 PM
  • I'm following up on this please let us know if there are anymore questions. As it looks like this issue has been resolved within the scope of the MSDN Thread Question, I will be marking the response as answer. Please let me know if your question has not been answered, and I can go ahead and unmark it as answer or feel free to mark it as unanswer yourself. Also please remember to post future questions on the new Q&A Forums here : https://docs.microsoft.com/answers/index.html Thanks
    Wednesday, December 11, 2019 7:11 PM