AzureAD and Office 365 Tokens Lifetime, PRT…

Posted byjdalberaPosted inAzure, Office365, SecurityTags:, , , , , , , , ,

Tokens ?

https://learn.microsoft.com/en-us/entra/identity-platform/security-tokens

What is a PRT?

A Primary Refresh Token (PRT) is used to provide a single sign-on (SSO) experience for users of Windows 10 and mobile OSes.
 
When you log in in a device supporting thins SSO, Windows will communicate with the Cloud Authentication Provider, validate your credentials and returns the PRT and a session key. The PRT is stored in LSASS, and the session key gets re-encrypted with the local devices TPM and then stored alongside the PRT.
 
Then, when the browser tries to access resources on the cloud, a PRT cookie is used to access them.
 
Once issued, a PRT is valid for 14 days and is continuously renewed as long as the user actively uses the device. A PRT only has MFA claims if when accessing RDP you use windows hello or windows account manager.
It can be used to obtain access and refresh token to any application.
 
Check if you have a PRT and expiration date using: Dsregcmd.exe /status
How to troubleshoot a invalid PRT? https://www.youtube.com/watch?v=uYJLQGL7ftA

Attack and Defense

https://github.com/Cloud-Architekt/AzureAD-Attack-Defense/blob/main/ReplayOfPrimaryRefreshToken.md

https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt

Research work on Primary Refresh Token (PRT)

Abusing Azure AD SSO with the Primary Refresh Token – dirkjanm.io

Digging further into the Primary Refresh Token – dirkjanm.io

#RomHack2021 – Dirk-jan Mollema – Breaking Azure AD joined endpoints in zero-trust environments – YouTube

 

Microsoft articles:

Detecting human-operated ransomware attacks with Microsoft Defender XDR | Microsoft Learn

Token theft playbook | Microsoft Learn

Used tools and references

Offensive Tools related to Primary Refresh Token (PRT)

AAD Internals (o365blog.com)

Glossary of Tokens in Microsoft Cloud Ecosystem

More information and descriptions of different tokens are found in Microsoft docs documentation – Microsoft identity platform access tokens – Microsoft identity platform | Microsoft Docs

Access Token

Access tokens enable clients to securely call protected web APIs, and are used by web APIs to perform authentication and authorization.

Refresh Token

When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access/refresh token pairs when the current access token expires.

Protection of refresh token in browser cookies: “The security is built not only to protect the cookies but also the endpoints to which the cookies are sent. Browser cookies are protected the same way a PRT is, by utilizing the session key to sign and protect the cookies.”

ID Token

The ID token is the core extension that OpenID Connect makes to OAuth 2.0. ID tokens are issued by the authorization server and contain claims that carry information about the user. They can be sent alongside or instead of an access token. Information in ID Tokens allows the client to verify that a user is who they claim to be.

Primary Refresh Token (PRT)

Is a key artifact of Azure AD authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It is a JSON Web Token (JWT) specially issued to Microsoft first-party token brokers to enable single sign-on (SSO) across the applications used on those devices.

It’s only issued to registered devices such as Azure AD joined, Hybrid Azure AD joined or Azure AD registered device. No evaluation of conditional access policy to get a PRT.

Cryptographic key pairs during Device Registration (to protect PRT)

Protection of keys on a Windows device

Transport Key (tkpub/tkpriv) & Device Key (dkpub/dkpriv)

The private keys are bound to the device’s TPM if the device has a valid and functioning TPM, while the public keys are sent to Azure AD during the device registration process. These keys are used to validate the device state during PRT requests.

Nonce

Nonce binds client and token which prevents token replay attacks.

Session Key

The session key is an encrypted symmetric key, generated by the Azure AD authentication service, and issued as part of the PRT. The session key acts as the proof of possession when a PRT is used to obtain tokens for other applications. Session key protection (both PRT & app tokens + browser cookies): By securing these keys with the TPM, we enhance the security for PRT from malicious actors trying to steal the keys or replay the PRT. So, using a TPM greatly enhances the security of Azure AD Joined, Hybrid Azure AD joined, and Azure AD registered devices against credential theft.

Session and token management in Azure AD

Token lifetime

PRT: 14 days RT: up to 90 days AT: 1h, CAE-enabled (named long lived token lifetime) ranges from 20 to 28 hours

You can’t configure the lifetime of a refresh token. You can’t reduce or lengthen their lifetime. Configure sign-in frequency in Conditional Access to define the time periods before a user is required to sign in again. Learn more about Configuring authentication session management with Conditional Access.

Microsoft identity platform refresh tokens – Microsoft identity platform | Microsoft Docs

View existing policies in a tenant

To see all policies that have been created in your organization, run the Get-MgPolicyTokenLifetimePolicy cmdlet. Any results with defined property values that differ from the defaults listed above are in scope of the retirement.

  1. Run the Get-MgPolicyTokenLifetimePolicy to see all policies that have been created in your organization.

    PowerShell
Get-MgPolicyTokenLifetimePolicy


https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes

Revocation

Primary Refresh Token (PRT) and Azure AD – Azure Active Directory | Microsoft Docs

Understanding Tokens

Primary Refresh Token (PRT) and Azure AD – Azure Active Directory | Microsoft Docs

PRT: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token

How the Modern Authentication Protocol Works

Once Modern Authentication is enabled a user will authenticate with one of the Office 365 services and they will be issued both an Access Token and a Refresh Token.  The Access Token is a short-lived token, valid for about 1 hour’s time.  The Refresh Token is longer-lived and can by valid for up to 90 days in some cases.  These longer cases include frequent use and when the user’s password has not changed.  The Access Token is what is used to gain access to the Office 365 services, and when the Access Token expires the Office client will present the Refresh Token to Azure Active Directory and request a new Access Token to use with the service.  The default lifetime for a Refresh Token is 14 days.  Features such as Conditional Access Policies may force users to sign-in again even though the Refresh Token is still valid.

You can specify the lifetime of a token issued by Azure Active Directory (Azure AD). You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization.

References:

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

Use session controls – sign-in frequency:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime#user-sign-in-frequency

Microsoft also have ongoing work on Continuous Access Evaluations (CAE), the goal here is to allow longer access token expiration times as we enforce security policies immediately on the application. The open standard is currently being written, but we already have it in preview for EXO and APO:

Continuous access evaluation in Azure AD | Microsoft Docs

How to force revocation of an access token:

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access

Published by jdalbera

IT Pro: 28 years experience for large companies - Technical manager and solution architect: Directory services and Identity Managemen expert, Azure AD, Office 365, Azure infrastructures, Microsoft AD Security (ADDS,ADFS,ADCS), PowerShell, Quest solutions architect. Operating systems (Win/Lin). Unix and Microsoft interoperability. Data center Operations. Company integrations. Network architectures. Virtualization and storage infrastructures. HP/Dell servers deployments. Multiple certifications: Azure, MCSE, MCPs, MCITS, ITIL, VCP, CCNA, CyberArk