Forum Discussion
Is system-preferred first factor overriding Single Sign-On?
My colleagues and I have noticed that we've started being prompted to perform a Windows Hello for Business authentication when we use Edge to access web resources that are authenticated with Entra. Previously, this authentication occurred silently through Single Sign-On with the PRT, per Understanding Primary Refresh Token (PRT) in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn.
While investigating what might have caused this change in behavior, I found MC1411574 in the M365 Message Center, which talks about a change to system-preferred authentication that started rolling out in late June 2026, whereby it now applies to the first factor as well as multi-factor authentication. I excluded myself from system-preferred authentication and sure enough, that seems to have restored the previous behavior.
Is it intended that this change to system-preferred authentication will disable SSO, or do we have something misconfigured?
1 Reply
Your test suggests system-preferred authentication is selecting Windows Hello for Business, but that does not mean the Primary Refresh Token is disabled. A valid PRT can still provide SSO through the Windows broker. The prompt more likely means this request requires fresh or stronger authentication instead of accepting the existing session silently.
Compare a prompted sign-in with a silent one in Entra sign-in logs. Review Authentication Details, Conditional Access, resource, client app, and any fresh-authentication requirement. On the device, run dsregcmd /status and confirm AzureAdPrt is YES. Test both a normal Edge profile and InPrivate to separate PRT behavior from browser cookies.
Keep the exclusion scoped while investigating; do not disable system-preferred authentication tenant-wide yet. If the logs show no policy difference, open a Microsoft support case with the correlation IDs, timestamps, device registration state, and rollout configuration.