Forum Discussion

Himanshu Singh's avatar
Himanshu Singh
Iron Contributor
May 09, 2021

Windows 10 Hybrid Join User Authentication for PRT

Hello Team,   We are attempting to do Hybrid Device Join for Windows 10, for Authentication we have federation setup using Onprem AD Fed <-> Azure AD   1. There is new thing noticed is when a us...
ChristianJBergstrom's avatar
ChristianJBergstrom
MVP

Himanshu Singh Hi, have you read this?

 

Azure AD joined or Hybrid Azure AD joined:

 

A PRT is issued during Windows logon when a user signs in with their organization credentials. A PRT is issued with all Windows 10 supported credentials, for example, password and Windows Hello for Business. In this scenario, Azure AD CloudAP plugin is the primary authority for the PRT.

 

Azure AD registered device:

 

A PRT is issued when a user adds a secondary work account to their Windows 10 device. Users can add an account to Windows 10 in two different ways.
- Adding an account via the Use this account everywhere on this device prompt after signing in to an app (for example, Outlook)
- Adding an account from Settings > Accounts > Access Work or School > Connect

 

Primary Refresh Token (PRT) and Azure AD - Azure Active Directory | Microsoft Docs

Himanshu Singh's avatar
Himanshu Singh
Iron Contributor
May 15, 2021
Hello,

We are a bit further now on this, Yes all of this is known, that is how we are able to understand and share this much

however my concerns are may be not clear in the last post
1. This UTP Username Token Processor can this be disabled and still have the PRT feature continue to work fine ?

2. What other Authentication scheme can be used here, what about Pass-Thru is it more secure then Federation ?

3. If Federation is still the most secure which one should be used ADFS / PingFed which one has better security capabilities which is more equipped to mitigate all sorts identity related attacks

BR,
/HS
  • ChristianJBergstrom's avatar
    ChristianJBergstrom
    MVP
    May 15, 2021

    Himanshu Singh Hello, this isn't really within my "comfort zone" but I will answer anyway hoping someone else might fill in.

     

    1. As far as I know it's used obtaining the AAD PRT using pingfederate (are you using that?)

     

    2. I'm just linking to these

    Decision tree 

    Comparing methods

    Recommendations

     

    3. I can't say to be honest. It depends on the needs of your organization. If possible though, you should consider leaving federation or at least introduce PHS on top of ADFS (in my opinion).

    • Himanshu Singh's avatar
      Himanshu Singh
      Iron Contributor
      May 16, 2021
      Well thats the idea of putting it out in/to the community so that others can also share......
      • ChristianJBergstrom's avatar
        ChristianJBergstrom
        MVP
        May 16, 2021
        I get that. But that wasn't the point now was it? As I usually don't reply to questions about PRT and pingfederate I only mentioned that as I actually hope someone with experience from it will join the conversation. So instead of commenting only that, did the reading in the docs about the different approaches make things clearer for you? I think the decisions tree is simple and effective. If not, perhaps you should consider reaching out to the official support with a service request.

        From my experience being in the community every day for over a year people tend to avoid conversations like these (too many questions) in case you wondering why no one else might not reply.

Resources