In Azure AD there are two fundamental object types: devices & users.

Understanding users and devices is important for:

  • Identity (Authentication & Authorisation)

  • Application assignment

  • Configuration Policy assignment

  • Conditional Access

Devices

Resources

What are devices in Azure AD?

An endpoint (Laptop, Desktop, phone) that exists in Azure AD.

How are devices added to Azure AD?

Devices are joined to Azure AD or Azure AD registered.

  • Azure AD Joined → Azure AD joined.

  • Hybrid AD joined → AD joined + Azure AD registered (that’s what the tick box is for when you sign in. When it says “Allow my organization to manage my device”).

  • Azure AD registered only → non-domain joined + Azure AD registered.

Users

Resources:

What is a User in Azure AD

An account, usually tied to a single person (1:1 mapping).

A user is uniquely identified by a GUID (objectGUID). Think of this as a unique ID that will be unique and permanent regardless if a user changes their name or email.

Users have several attributes associated with them.

  • GUID ← Permanent/Immutable.

  • User Principal Name (UPN) ← usually used as the username and usually the same as the user’s email.

  • Email

  • First Name

  • Last Name

  • Location

  • Department etc.

  • Proxyaddresses

What’s so special about Azure AD join or Azure AD registration

An Azure AD joined or Azure AD registered device is eligible to obtain a Primary Refresh Token (PRT).

Normally when you login to your browser – let’s say on a home PC – the website will store an access token (cookie, local storage or session storage). This access token has a lifetime of a X hours, after which you will need to login again.

Token type

Purpose/example

Duration

Refresh Token/PRT

To request a new access token

90 days of inactivity, until-revoked if active.

Access Token

To access a specific application

10 minutes to 1 day depending on the application

Session Token

An application in the same browser window that you keep using

Until-revoked

A PRT is long-term refresh token that is stored on the device, where possible using a TPM for extra security. A PRT is very valuable as it can request a new access token so it needs to be stored in a strong lock box – the TPM. The PRT allows a user to obtain a new access token without having to reauthenticate.

Once issued, a PRT is valid for 90 days (Since 30 Jan 2021. MS documentation on PRT below hasn’t been updated, new inactivity limit is specified here) and is continuously renewed (rolling refresh) while the user is actively using the device. So if a user goes on long service leave for 93 days without turning on their device, they will need to reauthenticate.

Microsoft’s Documentation is very detailed. Even if you don’t understand it at first (I had to read through 4-5 times), I recommend reading it through at least once as it will assist with many identity issues. Primary Refresh Token (PRT) and Azure AD – Azure Active Directory | Microsoft Docs

Another blog post worth reading is the top half of this article which goes into depth but explains many of the concepts in Layman’s terms:

Abusing Azure AD SSO with the Primary Refresh Token – dirkjanm.io

Token lifetimes (updated 2021) Configurable token lifetimes – Microsoft identity platform | Microsoft Docs

When is a PRT invalidated or revoked

  1. Invalid user – user deleted/disabled in Azure AD.

  2. invalid device – device is disabled/deleted in Azure AD.

  3. Password change – quoting Microsoft: After a user changes their password, the PRT obtained with the previous password is invalidated by Azure AD. Password change results in the user getting a new PRT. This invalidation can happen in two different ways:

    • If user signs in to Windows with their new password, CloudAP discards the old PRT and requests Azure AD to issue a new PRT with their new password. If user does not have an internet connection, the new password cannot be validated, Windows may require the user to enter their old password.

    • If a user has logged in with their old password or changed their password after signing into Windows, the old PRT is used for any WAM-based token requests. In this scenario, the user is prompted to reauthenticate during the WAM token request and a new PRT is issued.

  4. TPM issues – remember the PRT is stored in the TPM. This is similar to the “TPM error” at some stores.