In the evolving landscape of identity management, the Primary Refresh Token (PRT) stands as a cornerstone of seamless single sign-on (SSO) in Microsoft Entra ID. As devices increasingly operate in hybrid environments—online, offline, or in hibernation—understanding how to control PRT delayed renewal is essential for security admins and architects. Delayed renewal refers to the postponement of PRT updates during periods of disconnection, allowing cached SSO while balancing risk.
This technical deep-dive explores PRT mechanics, indirect control mechanisms (since direct timeline tweaks aren’t available), working configuration examples, expanded scenarios, and practical tips. We’ll leverage tables for clarity and draw from official Microsoft documentation to ensure accuracy as of late 2025. Whether you’re enforcing stricter security in a high-risk sector or optimizing for user experience, these insights will help you fine-tune PRT behavior.
PRT Renewal Mechanics: The Foundation
A PRT is a device-bound artifact enabling SSO across Entra-integrated apps on platforms like Windows, iOS, macOS, and Android. It’s issued during device registration or join and includes claims for user identity, device compliance, and more.
Key Timelines
- Validity Period: 90 days, with continuous renewal during active use.
- Renewal Interval: Every 4 hours via the CloudAP plugin during Windows sign-in. For apps, the Web Account Manager (WAM) plugin renews PRTs under conditions like silent token requests without a refresh token or when the PRT is invalid (e.g., requiring MFA).
- Delayed Renewal: If offline (e.g., due to network disconnect or hibernation), renewal pauses until reconnection and a qualifying event (e.g., sign-in or app token request). Cached PRTs remain usable for SSO up to the 90-day limit.
- Offline Handling: No immediate termination; PRTs support offline SSO, but renewal requires internet for CloudAP or WAM checks.
These intervals (4 hours, 90 days) are fixed and non-configurable directly, as per Microsoft’s design for consistency. However, policies can indirectly cap effective lifetimes by forcing re-authentication on reconnect.
Table 1: PRT Renewal Triggers and Conditions
Trigger Type | Description | Interval/Condition | Offline Impact |
---|---|---|---|
CloudAP Plugin | Renews during Windows sign-in. | Every 4 hours | Delayed until reconnect + sign-in |
WAM Plugin | Renews via app token requests (silent or interactive). | On-demand (e.g., invalid PRT) | Delayed; cached PRT used until reconnect |
Inactivity Expiry | PRT expires if unused. | After 90 days | Full expiry; re-auth required |
Event-Based | Password change or revocation invalidates PRT. | Immediate on detection | Cached until reconnect, then invalidated |
Control Mechanisms: Indirect Ways to Influence Delayed Renewal
While you can’t adjust the 4-hour or 90-day windows, Entra ID offers policy-based levers to enforce re-evaluations on reconnect, effectively shortening offline PRT usability. Below, we detail each mechanism with additional nuances, configuration steps, and working examples.
1. Sign-in Frequency (SIF) in Conditional Access
SIF mandates re-authentication intervals, overriding PRT defaults by requiring fresh auth for renewal. It accounts for a 5-minute clock skew to avoid over-prompting.
- Additional Details: SIF doesn’t evaluate during PRT issuance but impacts app-driven renewals (e.g., via WAM). In offline scenarios, it triggers on reconnect, potentially blocking renewal if unsatisfied.
- Configuration Example (Entra Admin Center):
- Navigate to Entra ID > Security > Conditional Access > New Policy.
- Name: “High-Security SIF”.
- Users: Select groups (e.g., executives).
- Cloud Apps: All or specific (e.g., Exchange Online).
- Session > Sign-in Frequency: Set to “1 hour” or “Every time”.
- Enable in report-only mode first.
- PowerShell Working Example (Using Microsoft Graph SDK):
# Install if needed: Install-Module Microsoft.Graph Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess" $params = @{ DisplayName = "SIF Policy - 1 Hour" State = "enabledForReportingButNotEnforced" Conditions = @{ Applications = @{ IncludeApplications = "All" } Users = @{ IncludeUsers = "All" } } SessionControls = @{ SignInFrequency = @{ Value = 1 Type = "hours" } } } New-MgIdentityConditionalAccessPolicy -BodyParameter $params
- Impact: Reduces offline window; e.g., a 1-hour SIF means re-auth on reconnect after >1 hour offline.
2. Token Protection
Binds PRTs cryptographically to devices (via TPM), preventing replay. It validates binding during renewal, invalidating unbound PRTs.
- Additional Details: Supports Windows 10+ and specific apps (e.g., OneDrive 22.217+). Errors like AADSTS1002 (no device state) or 1006 (unsupported OS) trigger on unbound renewals. In hibernation, TPM failures can invalidate PRTs post-wake.
- Configuration Example:
- Entra Admin Center: Conditional Access > New Policy.
- Target: Office 365 apps.
- Conditions: Windows platforms.
- Session > Require Token Protection: Enable.
- Test in report-only; monitor logs for
tokenProtectionStatusDetails
.
- Working Log Query Example (Log Analytics):
SigninLogs
| where TimeGenerated > ago(7d)
| where ConditionalAccessPolicies has "Require token protection"
| summarize Count=count() by tokenProtectionStatusDetails, signInSessionStatusCode
- Impact: Ensures delayed renewal only succeeds on the bound device; mismatches force re-auth.
3. Continuous Access Evaluation (CAE)
CAE enables real-time revocation via events (e.g., account disable) or policies (e.g., IP changes), extending tokens to 28 hours while allowing instant invalidation.
- Additional Details: Uses claim challenges (401 errors) for revocation. In offline reconnects, CAE checks sync’ed policies; supports apps like Outlook/Teams.
- Configuration Example:
- Entra Admin Center: Conditional Access > Customize CAE.
- Enable for IP/location policies.
- Define trusted IPs: Add IPv4/IPv6 ranges.
- Working Scenario Simulation: Use “What If” tool to test a user reconnecting from an untrusted IP—CAE issues challenge, revoking PRT.
- Impact: Overrides delayed renewal; e.g., if risk detected offline, revocation applies on reconnect.
4. Device Compliance Policies
Integrates with Intune; PRTs carry compliance claims, failing renewal if non-compliant on reconnect.
- Additional Details: Checks OS version, encryption, etc. Non-compliance (e.g., post-hibernation patch miss) blocks renewal.
- Configuration Example (Intune):
- Intune > Devices > Compliance Policies > Create Policy.
- Require: Windows 10+, BitLocker enabled.
- Link to CA: Require compliant devices.
- PowerShell Example:
# Requires Intune Graph access
$complianceParams = @{ /* JSON for policy */ }
New-IntuneDeviceCompliancePolicy -BodyParameter $complianceParams
- Impact: Shortens offline validity by enforcing checks on reconnect.
5. Administrative Revocation
Admins revoke PRTs via Graph, invalidating on reconnect.
- Additional Details: Affects refresh tokens; access tokens expire in ~1 hour. Use with CAE for near-real-time.
- Working PowerShell Example:
Connect-MgGraph -Scopes "User.ReadWrite.All" $user = Get-MgUser -UserId "[email protected]" Revoke-MgUserSignInSession -UserId $user.Id Update-MgUser -UserId $user.Id -AccountEnabled $false
- Impact: Flags PRTs for invalidation; delayed until reconnect.
6. Password Reset or Account Changes
Invalidates password-based PRTs; requires re-auth for new issuance.
- Additional Details: SSPR or admin reset triggers; non-password PRTs (e.g., FIDO2) may persist.
- Configuration Example: Enable SSPR in Entra; users reset via myaccount.microsoft.com.
- Impact: Forces renewal failure on reconnect post-change.
Table 2: Control Mechanisms Comparison
Mechanism | Configurability Level | Offline Renewal Impact | Reconnect Enforcement | Example Use Case |
---|---|---|---|---|
SIF | High (intervals in hours/days) | Delays renewal prompt | Re-auth required | Risky users needing frequent MFA |
Token Protection | Medium (enable per app) | Binding validation | Blocks unbound | Preventing token theft |
CAE | High (events/policies) | Real-time revocation | Claim challenge | Location-based access control |
Device Compliance | High (Intune rules) | Compliance check | Blocks non-compliant | Enforcing patches post-hibernation |
Admin Revocation | Manual (per user) | Invalidation flag | Immediate block | Compromised account response |
Password Reset | User/Admin-initiated | Invalidation | Re-auth with new creds | Post-breach remediation |
Limitations on Direct Control
The 4-hour renewal and 90-day inactivity are hardcoded for reliability—no API or policy alters them. Controls are reactive (on reconnect), not proactive offline. TPM failures add uncontrolled invalidation.
Sample Scenarios with Working Details
- High-Security Environment with SIF and Token Protection:
- Setup: 1-hour SIF + Token Protection for Teams.
- Scenario: Laptop hibernates for 48 hours. On wake/reconnect, SIF triggers MFA; Token Protection checks binding. If TPM intact, renewal succeeds; else, error 1002 blocks.
- Outcome: Effective offline limit reduced to ~1 hour post-reconnect.
- CAE in Risky Offline Reconnect:
- Setup: CAE enabled with IP policy (trusted: 192.168.1.0/24).
- Scenario: User offline in trusted location, then reconnects from untrusted IP. CAE issues 401 challenge; client re-auths, denying if policy violated.
- Outcome: PRT revoked mid-renewal attempt.
- Compliance Failure Post-Hibernation:
- Setup: Intune policy requires OS build >22621.
- Scenario: Device hibernates, misses update. On reconnect, compliance check fails; PRT renewal blocked until remediation.
- Outcome: Forces update, invalidating stale PRT.
- Admin Revocation for Terminated Employee:
- Setup: Run Revoke-MgUserSignInSession.
- Scenario: Offline device uses cached PRT. On reconnect, invalidation applies; access denied.
- Outcome: Near-instant post-reconnect block with CAE.
Practical Considerations
- Testing: Use report-only mode and sign-in logs (filter for PRT events). Simulate hibernation with
powercfg /hibernate on
and disconnect. - Usability vs. Security: Frequent SIF (e.g., every time) boosts security but may cause 30-second delays on mobile.
- Monitoring: Query logs for errors like 1003 (unsupported device).
- Best Practices: Combine mechanisms (e.g., SIF + CAE) for layered defense; migrate to MgGraph PowerShell.
By mastering these controls, you can transform PRT delayed renewal from a potential vulnerability into a managed asset. Experiment in a lab environment to see the interplay.