MFA Behaviour on Azure AD Hybrid OR Registered Devices

Frequent Contributor



it is observed after changing the password in on-premises AD, PRT was not issued (kept checking using DsRegCmd) for almost 2 days, However at the same time access is/was not restricted or blocked to any M/O365 resource due to no PRT strange if this behaviour known already ?


A Hybrid Windows 10 device being used by a user for whom CA policy is enforced that if user is using a Windows device then it must be Hybrid has no relation with PRT - Correct ?


As long as user is using Browser and is signed in (extension in case of Chrome/Firefox) Access is granted, As both browsers supports user sign in In-Cognito / In-Private mode,


I need to find out a way to allow users in sign in these browser modes as smoothly as possible or rather how are shared PC scenarios are being managed when AAD and hybrid device usage is mandatory using CA policy


  1. And upon closing of the browser auto sign out should happen,

  2. Another thing is CA Policy will be applied to all users and when this policy is active no user can sign in the browser/extension, This policy has to be disabled first then only user will be able to setup sign in InCognito / InPrivate Modes

  3. But the problem still remains what will happen when the user will change the PC ?




2 Replies
Hello, I will only direct you to this page so you can do your own reading when it comes to PRT

Many thanks for response!,

I think i found the solution to the scenario is to use "Run as different user" option it able to overcome the extension sign in requirement,

When using "Run as different user" user can simply, easily and is able to sign to office 365 straight no blocking - restricting message anymore,

this means "Run as different user" is able to generate PRT with Device ID, as user is able to sign straight