The Hidden PRT Shift: What Microsoft’s Silent Token Change Means for Your Security Posture

By /

Listen to this Post

Featured Image

Introduction:

Microsoft appears to be silently modifying the expiration behavior of Primary Refresh Tokens (PRTs), a core component of modern authentication in Azure Active Directory. This change, whose exact nature remains unclear, underscores the critical need to shift focus from token lifespan to comprehensive token protection. The evolving identity landscape demands a move beyond mere expiration policies and towards a hardened, zero-trust environment.

Learning Objectives:

  • Understand the role and critical importance of the Primary Refresh Token (PRT) in Azure AD authentication.
  • Learn practical commands and techniques to investigate and monitor token issuance and claims.
  • Implement security controls to protect tokens at rest, in transit, and during the authentication process.

You Should Know:

1. Investigating PRT and Session Claims with PowerShell

The Primary Refresh Token is the key to maintaining a seamless user session in Azure AD and Microsoft 365. To understand what tokens are being issued to your users, you can use PowerShell to examine a token’s claims.

 Connect to MSOL (requires legacy MSOnline module)
Connect-MsolService

Get user details (note: this doesn't show PRT directly but gives context)
Get-MsolUser -UserPrincipalName [email protected] | Select-Object UserPrincipalName, LastPasswordChangeTimestamp

More effective: Use Azure AD PowerShell Module
Connect-AzureAD
Get-AzureADUser -ObjectId [email protected] | Select-Object UserPrincipalName, RefreshTokensValidFromDateTime

Step-by-step guide:

  1. Install the required PowerShell modules: `Install-Module MSOnline` and/or Install-Module AzureAD.
  2. Authenticate using an account with appropriate admin privileges.
  3. Run the `Get-MsolUser` or `Get-AzureADUser` cmdlet to retrieve user object information. While these don’t display the PRT itself due to security reasons, the `RefreshTokensValidFromDateTime` property can indicate when a user’s refresh tokens were last invalidated (e.g., after a password reset).
  4. For deep analysis, always refer to Azure AD Sign-In Logs in the Entra Admin Portal for detailed token claim information.

  5. Enforcing Continuous Access Evaluation (CAE) with Conditional Access
    Continuous Access Evaluation is a critical defense that mitigates the risk of long-lived tokens. CAE enables near-real-time revocation of access if a user’s status changes (e.g., account disable, password reset).

 PowerShell to check for Conditional Access policies (using Graph API)
 Requires Microsoft.Graph module
Install-Module Microsoft.Graph
Connect-MgGraph -Scopes "Policy.Read.All"

List Conditional Access policies
Get-MgIdentityConditionalAccessPolicy | Format-Table DisplayName, State, Id

Step-by-step guide:

1. Navigate to the Microsoft Entra admin center.

2. Go to Protection > Conditional Access.

  1. Create a new policy. Under ‘Cloud apps or actions’, select the apps to protect (e.g., Office 365).
  2. Under ‘Session’, click ‘Enable Continuous Access Evaluation’. This setting ensures that critical events are evaluated in real-time, significantly reducing the window of opportunity for a stolen token to be used.
  3. Use the Graph API or PowerShell to audit and manage these policies programmatically across your tenant.

3. Implementing Phishing-Resistant MFA via Conditional Access

Nathan McNulty’s emphasis on phishing-resistant authentication is paramount. This moves beyond basic MFA to methods like FIDO2 security keys or Windows Hello for Business.

 Conditional Access to require phishing-resistant MFA (Graph API)
 This JSON template can be used with New-MgIdentityConditionalAccessPolicy
$params = @{
displayName = "REQUIRE PHISHING RESISTANT MFA FOR ALL USERS"
state = "enabled"
conditions = @{
applications = @{
includeApplications = "All"
}
users = @{
includeUsers = "All"
}
}
grantControls = @{
operator = "OR"
builtInControls = @(
"phishingResistantMfaRequired"
)
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $params

Step-by-step guide:

  1. In the Microsoft Entra admin center, create a new Conditional Access policy.
  2. Target the policy to ‘All users’ and ‘All cloud apps’ (or select high-value apps first).
  3. Under ‘Access controls’ > ‘Grant’, select ‘Grant access’.

4. Check the box for ‘Require phishing-resistant authentication’.

  1. Set the policy to ‘Report-only’ initially to gauge impact, then enable it.

4. Client Hardening: Querying Device Compliance Status

Protecting the token on the client is as important as protecting its issuance. This involves ensuring devices are compliant, healthy, and managed.

 Query device compliance status in Intune via Graph API
 Requires DeviceManagementManagedDevices.ReadWrite.All scope
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All"
Get-MgDeviceManagementManagedDevice -Filter "osType eq 'windows'" | Select-Object DeviceName, OperatingSystem, ComplianceState, JailBroken | Format-Table

Step-by-step guide:

  1. Use Microsoft Intune to enforce compliance policies (e.g., require encryption, minimum OS version, threat agent running).
  2. Create a Conditional Access policy that grants access only to devices that are marked as compliant.
  3. Use the Graph API to regularly audit device compliance status across your organization and identify devices that may be at risk.

5. Auditing Sign-In Logs for Token Anomalies

Proactive monitoring of authentication logs is essential for detecting anomalous token usage that could indicate theft or compromise.

 Query Azure AD Sign-In Logs via Graph API
 Requires AuditLog.Read.All and Directory.Read.All scopes
Connect-MgGraph -Scopes "AuditLog.Read.All", "Directory.Read.All"
Get-MgAuditLogSignIn -Filter "createdDateTime gt 2024-05-01" -All | Where-Object {$_.Status.ErrorCode -ne 0} | Select-Object UserDisplayName, AppDisplayName, IpAddress, Status, DeviceDetail | Format-Table

Step-by-step guide:

  1. In the Entra admin center, navigate to Monitoring > Sign-in logs.
  2. Use the filters to look for failed sign-ins, sign-ins from unexpected locations, or sign-ins using legacy authentication protocols.
  3. Set up alerts for specific high-risk event types, such as ‘Anonymous IP address’ or ‘Unfamiliar sign-in properties’.
  4. Export these queries using the Graph API to automate monitoring and integrate with your SIEM solution.

6. Configuring Tiered Administration with Just-Enough-Access (JEA)

Limiting administrative access reduces the attack surface if a privileged account’s token is compromised. JEA in PowerShell allows for least-privilege administration.

 Create a JEA session configuration file (PSSessionConfiguration.pSD1)
@{
SchemaVersion = '2.0.0.0'
SessionType = 'RestrictedRemoteServer'
RoleDefinitions = @{
'DOMAIN\Server-Admins' = @{
RoleCapabilities = 'ServerMaintenance'
}
}
}
 Register the JEA configuration
Register-PSSessionConfiguration -Path .\JEAConfig.pSD1 -Name 'JEAEndpoint'

Step-by-step guide:

  1. Create a Role Capability File (.psrc) that defines exactly what commands a role can run.
  2. Create a Session Configuration File (.pssc) that ties roles to AD groups and sets the session type.
  3. Register the configuration on a endpoint using Register-PSSessionConfiguration.
  4. Users connect using Enter-PSSession -ComputerName Server01 -ConfigurationName 'JEAEndpoint' -Credential $cred, gaining only the privileges you explicitly granted.

  5. Leveraging Microsoft Defender for Identity to Detect Token Theft
    MDI can detect advanced attacks like Kerberos golden ticket attacks or unusual token usage patterns that bypass traditional controls.

 KQL query example for Microsoft Defender XDR to hunt for token theft patterns
let timeframe = 1d;
IdentityLogonEvents
| where Timestamp > ago(timeframe)
| where Application == "Active Directory"
| where ActionType has "Logon attempted"
| where LogonType has "Network"
| where IsGoldenTicket == 1
| project Timestamp, AccountName, DeviceName, IPAddress, IsGoldenTicket

Step-by-step guide:

  1. Ensure Microsoft Defender for Identity sensors are deployed on your Domain Controllers.
  2. Navigate to the Microsoft Defender portal and review the ‘Identity’ dashboard for alerts on suspicious activities.
  3. Create custom detection rules using KQL to hunt for specific patterns related to token manipulation and forged tickets.
  4. Integrate these alerts into your security orchestration and automated response (SOAR) playbooks.

What Undercode Say:

  • Token Lifespan is a Moot Point Without Hardening. A 4-hour token stolen from a vulnerable client is infinitely more dangerous than a 90-day token on a secured, compliant device protected by phishing-resistant MFA and continuous access evaluation. The focus must be on the entire security chain, not a single link.
  • Visibility is Non-Negotiable. Microsoft’s opaque change to PRT behavior is a stark reminder that cloud services evolve rapidly, often without explicit customer notification. Organizations must aggressively monitor their authentication logs, audit token claims, and query system changes programmatically to maintain visibility and control over their identity perimeter.

The silent nature of this potential PRT change is a classic example of the shared responsibility model in action. Microsoft manages the cloud service, but customers are responsible for securing their identities and data within it. This means implementing available security controls like CAE, mandatory phishing-resistant MFA, and device compliance—not relying on assumed token expiration defaults. The future of identity security is dynamic, real-time evaluation, not static time-based claims.

Prediction:

This subtle change in PRT behavior is a precursor to a broader industry shift towards dynamic, risk-based session management. The future will see the demise of fixed expiration times in favor of sessions that continuously re-evaluate user risk, device health, and threat intelligence signals in real-time. This will render stolen tokens nearly useless within minutes of being exfiltrated, fundamentally changing the attack landscape for identity-based threats. Organizations that fail to adopt these continuous validation technologies (like CAE) and stronger authentication methods will find themselves disproportionately targeted as attackers exploit the widening gap between legacy and modern identity postures.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Nathanmcnulty Theres – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: