Skip to content

Commit 5998cd7

Browse files
Court72Court72
authored
Merge pull request #106765 from vtsarik/patch-2
Add details about periodic session key roll on (H)AADJ-ed devices
2 parents 0c42a0b + 33c8c05 commit 5998cd7

File tree

1 file changed

+4
-1
lines changed

1 file changed

+4
-1
lines changed

articles/active-directory/devices/concept-primary-refresh-token.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ The following Windows components play a key role in requesting and using a PRT:
3636
A PRT contains claims found in most Azure AD refresh tokens. In addition, there are some device-specific claims included in the PRT. They are as follows:
3737

3838
* **Device ID**: A PRT is issued to a user on a specific device. The device ID claim `deviceID` determines the device the PRT was issued to the user on. This claim is later issued to tokens obtained via the PRT. The device ID claim is used to determine authorization for Conditional Access based on device state or compliance.
39-
* **Session key**: The session key is an encrypted symmetric key, generated by the Azure AD authentication service, issued as part of the PRT. The session key acts as the proof of possession when a PRT is used to obtain tokens for other applications.
39+
* **Session key**: The session key is an encrypted symmetric key, generated by the Azure AD authentication service, issued as part of the PRT. The session key acts as the proof of possession when a PRT is used to obtain tokens for other applications. Session key is rolled on Windows 10 or newer Azure AD joined or Hybrid Azure AD joined devices if it's older than 30 days.
4040

4141
### Can I see what’s in a PRT?
4242

@@ -133,6 +133,9 @@ A PRT can get a multifactor authentication (MFA) claim in specific scenarios. Wh
133133

134134
Windows 10 or newer maintain a partitioned list of PRTs for each credential. So, there’s a PRT for each of Windows Hello for Business, password, or smartcard. This partitioning ensures that MFA claims are isolated based on the credential used, and not mixed up during token requests.
135135

136+
> [!NOTE]
137+
> When using password to sign into Windows 10 or newer Azure AD joined or Hybrid Azure AD joined device, MFA during WAM interactive sign in may be required after session key associated with PRT is rolled.
138+
136139
## How is a PRT invalidated?
137140

138141
A PRT is invalidated in the following scenarios:

0 commit comments

Comments
 (0)