Impossible to sign in with different user account

Hello DanielNiccoli​ ,

here is the most recent changes of logon behavior and all about the login recent behaviour impact concepts make it an new approach:

What is the expected Windows offline logon behavior when an Entra ID–joined device is disconnected from the internet and cannot reach Entra ID authentication endpoints?

When an Entra ID–joined Windows 10/11 device is disconnected from the internet and cannot reach Microsoft Entra ID authentication endpoints, the expected logon behavior is as follows:

• Requirement for Prior Login: The user must have successfully signed in to the device while connected to the internet at least once to establish a local user profile and cache credentials.
• Authentication Mechanism: Windows uses cached credentials (derived from the user's password or PIN) to locally validate the sign-in attempt. This mechanism verifies the entered credentials against the securely stored hash from the last successful online logon.
• Role of the PRT: The Primary Refresh Token (PRT) is not directly used for the local desktop logon credential validation. The PRT's primary function is to enable Single Sign-On (SSO) to Entra ID and cloud resources (like Microsoft 365) after the user has logged into the Windows desktop. If the device is offline, the PRT cannot be refreshed, but the user can still log in to the desktop using cached credentials.
• First-Time Login: Any first-time login attempt by a new user will fail when offline because there are no cached credentials or a local user profile to validate against, and the device cannot connect to the federated Identity Provider (Okta) through Entra ID.

Please do refer below:
https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token

https://learn.microsoft.com/en-us/entra/identity/devices/faq (see Snippet 1.1: "Users who didn't sign in previously can't access the device. There are no cached username and password enabled for them.", which confirms the necessity of a prior online sign-in to establish the cached profile)

When offline authentication succeeds, is it based on cached credentials or local validation of an existing Primary Refresh Token (PRT)? In other words, does cached credential login leverage the PRT?

So, Offline authentication on an Entra ID–joined device relies on cached credentials, but the Primary Refresh Token (PRT) governs the duration of offline access.

Offline Validation: Windows' Local Security Authority (LSA) uses the securely cached credential hash (password or PIN) from the user's last successful online logon to locally validate the sign-in. This is the mechanism that grants immediate desktop access.

PRT Control: The cached credentials do not last indefinitely. The device checks the status of the cached PRT. The PRT has a non-configurable maximum lifetime (typically 90 days). If the device remains offline and the PRT expires, all cached credentials and keys are rendered invalid, and the user will be blocked from desktop sign-in until an internet connection is restored for PRT renewal.

Key Distinction: The PRT is not used to verify the password, but it is used to determine if the user's local session is still authorized by the cloud identity system for offline use.

You can refer: https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/windows-logon-scenarios

Is the number of allowed offline logons or the duration of offline access controlled by any Conditional Access policies (e.g., Sign-in Frequency, Persistent Browser Session settings)?

No, Conditional Access (CA) policies do not govern offline Windows desktop sign-in or its maximum duration, because:

Scope of CA Policies (Online Only): CA policies, such as Sign-in Frequency and Persistent Browser Session, are strictly applied during online authentication to control cloud access sessions.

• They instruct Entra ID when to ask the user to re-authenticate (e.g., provide MFA) to renew the PRT or an access token for a cloud resource (like Microsoft 365).
• They cannot enforce reauthentication or session expiry when the device is disconnected from Entra ID because the local logon relies on cached credentials, not a real-time cloud check.

Offline Behavior is PRT-Bound: Offline sign-in uses cached credentials (a password hash) stored locally by the operating system. The validity of these cached credentials is tied to the integrity and lifetime of the Primary Refresh Token (PRT).

• Fixed Time Limit: The maximum duration for which a user can log in with cached credentials while offline is governed by the PRT's non-configurable 90-day maximum lifetime.
• Enforcement: If the device cannot connect to Entra ID to renew the PRT within that 90-day period, the PRT expires, and the local cached credentials become invalid, effectively blocking the user from desktop access until an online connection is restored. CA policies do not change this 90-day limit.

Please do Refer for better understanding:

• https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token?tabs=windows-prt-issued%2Cbrowser-behavior-windows%2Cwindows-prt-used%2Cwindows-prt-renewal%2Cwindows-prt-protection%2Cwindows-apptokens%2Cwindows-browsercookies%2Cwindows-mfa
• https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-session-lifetime
• https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes

If the device does not have a valid PRT (for example, user profile newly created while offline), can the user still log in offline in a federated authentication scenario?

No, offline login will fail if the user profile was never created while online, because:

• Profile Creation Requirement for an Entra ID–joined device, the first successful sign-in must occur online so that: The device can validate credentials against Entra ID (or the federated IdP like Okta). And Windows can create the local user profile and cache the credential hash.
• PRT Role A Primary Refresh Token (PRT) is issued during online sign-in for cloud resource access and SSO. If the device is offline and no PRT exists (because the user never signed in online), there is no cached credential or token. Therefore, the system cannot authenticate the user locally.
• Federated Authentication Impact Federation (e.g., Okta) does not change this behavior. The device still needs an initial online handshake with Entra ID to establish the identity and cache credentials.

Does the policy "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" have any effect on Entra ID–joined systems without a Domain Controller?

No, this policy does not apply to Microsoft Entra ID–joined devices, because:

• One is Policy Scope: The Group Policy setting “Interactive logon: Number of previous logons to cache (in case domain controller is not available)” is designed for Active Directory Domain Services (AD DS) environments. It controls how many previous logons are cached for domain accounts when a domain controller is unreachable.
• And other one Entra ID–Joined Devices: These devices do not rely on a domain controller; they authenticate against Microsoft Entra ID. Offline sign-in for Entra ID accounts uses cached credentials stored locally by Windows, independent of this policy. Changing this setting has no effect on Entra ID–joined systems because the mechanism for caching is different and not governed by AD DS policies.

Hope this helps somehow and gives you some clarity! If it answered your question, please consider clicking Accept Answer and Upvote. This will help us and others in the community as well. If you need more info, feel free to ask in the comments. Happy to help!

Regards,

johnnie88​