In the realm of identity and access management, Microsoft Entra ID stands as a cornerstone for authentication and authorization within the Microsoft ecosystem. One crucial aspect contributing to its robust security infrastructure is the concept of Primary Refresh Tokens (PRTs). In this article, I’ll delve into the significance, functionality, and security implications of Primary Refresh Tokens in Microsoft Entra ID.

What are Primary Refresh Tokens (PRTs)?

Primary Refresh Tokens (PRTs) are long-lived tokens generated upon successful authentication in Microsoft Entra ID. They are a crucial component of the authentication process within Microsoft Entra ID and play a significant role in enabling seamless access to various Microsoft services and applications.

Key characteristics of Primary Refresh Tokens include:

  1. Longevity: PRTs have a longer lifespan compared to access tokens, typically spanning days or weeks. This extended validity period allows users to access resources and services without needing frequent reauthentication.
  2. Tied to Device or Client: PRTs are associated with a specific device or client upon authentication. They are securely stored on the device after the initial login, reducing the need for users to repeatedly enter credentials for subsequent access. PRTs are protected using DPAPI, which can leverage TPM.
  3. Enhanced User Experience: By eliminating the need for frequent reauthentication, PRTs contribute to a smoother user experience, increasing productivity and reducing user friction when accessing Microsoft services.
  4. Security Measures: PRTs are encrypted and stored securely, mitigating the risk of unauthorized access or tampering. They are subject to Conditional Access Policies, enabling administrators to define access controls based on various conditions like device compliance, user location, or risk level.

How are Primary Refresh Tokens protected?

Tokens, particularly Primary Refresh Tokens (PRTs), are safeguarded on a device through a combination of secure storage practices, encryption, access controls, and operating system protections.

Secure Storage Mechanisms

PRTs are stored in secure and protected storage areas on the device. These storage areas, often referred to as secure enclaves or secure vaults, are designed to prevent unauthorized access by other applications or users.


Before storage, PRTs are encrypted using strong cryptographic algorithms. This encryption ensures that even if someone gains access to the storage, the tokens’ contents remain encrypted and unreadable without the decryption keys.

Access Controls

Operating systems enforce strict access controls on the storage locations where tokens are stored. Only trusted system components or specific applications registered with Microsoft Entra ID have the necessary permissions to access and utilize these tokens. Unauthorized applications or entities are prevented from accessing these storage areas.

Device Protections

Modern operating systems incorporate security features that help protect sensitive data, including tokens, stored on devices. These features include secure boot processes, sandboxing of applications, and user privilege controls to prevent unauthorized access.

Hardware-Level Protections

Some devices, especially modern smartphones and certain PCs, have hardware-level security features like Trusted Platform Modules (TPM) or Secure Elements. These hardware components provide additional layers of security, storing encryption keys and ensuring the integrity of the device’s security functions.

Biometric or PIN Protection

Devices often leverage biometric authentication (fingerprint, face recognition) or PINs to unlock access to tokens. This ensures that even if someone gains physical access to the device, they cannot access the tokens without the appropriate user authentication.

How and when devices receive Primary Refresh Tokens?

Devices receive tokens, such as Primary Refresh Tokens (PRTs), during the authentication process within Microsoft Entra ID. The issuance of tokens to devices occurs at specific stages and depends on various factors, including the type of authentication, device registration, and user sign-in activities.

Authentication Process

  1. User Authentication
    • When a user logs in or authenticates to Microsoft Entra ID using their credentials, a token request is initiated as part of the authentication flow.
  2. Token Issuance
    • Upon successful authentication, Microsoft Entra ID issues tokens to the requesting device. These tokens may include an Access Token (for accessing specific resources), an ID Token (containing user identity information), and the long-lived Primary Refresh Token (PRT).
  3. Token Storage on Device
    • The tokens, including the PRT, are securely stored on the device after issuance. The PRT, in particular, is associated with the device and is used for subsequent access to resources without the need for frequent reauthentication.


Primary Refresh Tokens serve as a cornerstone in Microsoft Entra ID’s authentication and access management framework, enabling users to seamlessly access Microsoft services while maintaining stringent security standards. By understanding their role, implementing best practices, and aligning with security measures, organizations can harness the convenience of PRTs while safeguarding sensitive data and resources effectively.

As the digital landscape continues to evolve, staying vigilant and adapting security measures will be crucial in ensuring a robust and secure authentication ecosystem within Microsoft Entra ID.