Tokens ?
https://learn.microsoft.com/en-us/entra/identity-platform/security-tokens
What is a PRT?
Attack and Defense
https://github.com/Cloud-Architekt/AzureAD-Attack-Defense/blob/main/ReplayOfPrimaryRefreshToken.md
Research work on Primary Refresh Token (PRT)
Abusing Azure AD SSO with the Primary Refresh Token – dirkjanm.io
Digging further into the Primary Refresh Token – dirkjanm.io
Microsoft articles:
Detecting human-operated ransomware attacks with Microsoft Defender XDR | Microsoft Learn
Token theft playbook | Microsoft Learn
Used tools and references
Offensive Tools related to Primary Refresh Token (PRT)
Glossary of Tokens in Microsoft Cloud Ecosystem
More information and descriptions of different tokens are found in Microsoft docs documentation – Microsoft identity platform access tokens – Microsoft identity platform | Microsoft Docs
Access Token
Access tokens enable clients to securely call protected web APIs, and are used by web APIs to perform authentication and authorization.
Refresh Token
When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access/refresh token pairs when the current access token expires.
Protection of refresh token in browser cookies: “The security is built not only to protect the cookies but also the endpoints to which the cookies are sent. Browser cookies are protected the same way a PRT is, by utilizing the session key to sign and protect the cookies.”
ID Token
The ID token is the core extension that OpenID Connect makes to OAuth 2.0. ID tokens are issued by the authorization server and contain claims that carry information about the user. They can be sent alongside or instead of an access token. Information in ID Tokens allows the client to verify that a user is who they claim to be.
Primary Refresh Token (PRT)
Is a key artifact of Azure AD authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It is a JSON Web Token (JWT) specially issued to Microsoft first-party token brokers to enable single sign-on (SSO) across the applications used on those devices.
It’s only issued to registered devices such as Azure AD joined, Hybrid Azure AD joined or Azure AD registered device. No evaluation of conditional access policy to get a PRT.
Cryptographic key pairs during Device Registration (to protect PRT)
Protection of keys on a Windows device
Transport Key (tkpub/tkpriv) & Device Key (dkpub/dkpriv)
The private keys are bound to the device’s TPM if the device has a valid and functioning TPM, while the public keys are sent to Azure AD during the device registration process. These keys are used to validate the device state during PRT requests.
Nonce
Nonce binds client and token which prevents token replay attacks.
Session Key
The session key is an encrypted symmetric key, generated by the Azure AD authentication service, and issued as part of the PRT. The session key acts as the proof of possession when a PRT is used to obtain tokens for other applications. Session key protection (both PRT & app tokens + browser cookies): By securing these keys with the TPM, we enhance the security for PRT from malicious actors trying to steal the keys or replay the PRT. So, using a TPM greatly enhances the security of Azure AD Joined, Hybrid Azure AD joined, and Azure AD registered devices against credential theft.
Session and token management in Azure AD
Token lifetime
PRT: 14 days RT: up to 90 days AT: 1h, CAE-enabled (named long lived token lifetime) ranges from 20 to 28 hours
You can’t configure the lifetime of a refresh token. You can’t reduce or lengthen their lifetime. Configure sign-in frequency in Conditional Access to define the time periods before a user is required to sign in again. Learn more about Configuring authentication session management with Conditional Access.
Microsoft identity platform refresh tokens – Microsoft identity platform | Microsoft Docs
View existing policies in a tenant
To see all policies that have been created in your organization, run the Get-MgPolicyTokenLifetimePolicy cmdlet. Any results with defined property values that differ from the defaults listed above are in scope of the retirement.
-
Run the
Get-MgPolicyTokenLifetimePolicy
to see all policies that have been created in your organization.PowerShell
Get-MgPolicyTokenLifetimePolicy
https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes
Revocation
Primary Refresh Token (PRT) and Azure AD – Azure Active Directory | Microsoft Docs
Understanding Tokens
Primary Refresh Token (PRT) and Azure AD – Azure Active Directory | Microsoft Docs
PRT: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
How the Modern Authentication Protocol Works
Once Modern Authentication is enabled a user will authenticate with one of the Office 365 services and they will be issued both an Access Token and a Refresh Token. The Access Token is a short-lived token, valid for about 1 hour’s time. The Refresh Token is longer-lived and can by valid for up to 90 days in some cases. These longer cases include frequent use and when the user’s password has not changed. The Access Token is what is used to gain access to the Office 365 services, and when the Access Token expires the Office client will present the Refresh Token to Azure Active Directory and request a new Access Token to use with the service. The default lifetime for a Refresh Token is 14 days. Features such as Conditional Access Policies may force users to sign-in again even though the Refresh Token is still valid.
You can specify the lifetime of a token issued by Azure Active Directory (Azure AD). You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization.
References:
Use session controls – sign-in frequency:
Microsoft also have ongoing work on Continuous Access Evaluations (CAE), the goal here is to allow longer access token expiration times as we enforce security policies immediately on the application. The open standard is currently being written, but we already have it in preview for EXO and APO:
Continuous access evaluation in Azure AD | Microsoft Docs
How to force revocation of an access token:
https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access