May 09 2021
- last edited on
Jan 14 2022
We are attempting to do Hybrid Device Join for Windows 10,
for Authentication we have federation setup using Onprem AD Fed <-> Azure AD
1. There is new thing noticed is when a user (synced to AAD) is using Office 365 ProPlus
2. They get a message to let their organization manage this device
3. If the user clicks Yes/Ok Username and Device are Registered in Azure AD
4. After which it is noticed that there is no need to username/password for the user to sign in
5. infact it is observed that no requests are forwarded to IDP/STS anymore, when this registration happen there is a connected work/school account gets registered on windows 10 in settings
6. The token used here is this PRT ??? bcoz when running DsRegCmd /Debug /Status does not show AzureADPRT as NO
7. However when the same device is Hybrid joined then running the above command very clearly shows AzureADPRT as YES and its issuance validity expiry details etc.
8. So what is the difference in the two what is exactly is the above one ?
9. Also specific to Federation and PRT when the device is Hybrid and on the device it can be seen AzureADPrt is there during this Federation Auth Flow especially when it is the very first logon right after when the device has been made hybrid there is a specific tokenprocessor which used here it is called "UsernameTokenProcessor", it is seen here that lsass has the user password in clear text which is exchanged in a TLS session,
how to stop this ?,
how to stop windows from keeping from clear text password ?,
What are the implications, how to monitor/analyze ???
May 10 2021 12:16 AM
@Himanshu Singh Hi, have you read this?
Azure AD joined or Hybrid Azure AD joined:
A PRT is issued during Windows logon when a user signs in with their organization credentials. A PRT is issued with all Windows 10 supported credentials, for example, password and Windows Hello for Business. In this scenario, Azure AD CloudAP plugin is the primary authority for the PRT.
Azure AD registered device:
A PRT is issued when a user adds a secondary work account to their Windows 10 device. Users can add an account to Windows 10 in two different ways.
- Adding an account via the Use this account everywhere on this device prompt after signing in to an app (for example, Outlook)
- Adding an account from Settings > Accounts > Access Work or School > Connect
May 15 2021 03:14 AM
May 15 2021 04:05 AM
@Himanshu Singh Hello, this isn't really within my "comfort zone" but I will answer anyway hoping someone else might fill in.
1. As far as I know it's used obtaining the AAD PRT using pingfederate (are you using that?)
2. I'm just linking to these
3. I can't say to be honest. It depends on the needs of your organization. If possible though, you should consider leaving federation or at least introduce PHS on top of ADFS (in my opinion).
May 16 2021 10:42 AM
May 16 2021 11:06 AM