Pass The PRT

PRT is a special refresh token used for single sign-on (SSO).

– It can be used to obtain access and refresh tokens to any application.

– Issued to a user for a specific device

– Valid for 90 days and is continuously renewed

– CloudAP SSP requests and caches PRT on a device

– If PRT is MFA-based (Windows Hello or Windows Account manager), then the claim is transferred to app tokens to prevent MFA challenge for every application.

– Before a fix in August 2021, PRT always had MFA claims.

We can extract PRT by using the below tools in a session of the target Entra ID user

Using ROADToken:

C:\AzAD\Tools\ROADToken.exe <nonce>

Using AADInternals:

Get-AADIntUserPRTToken

Go to https://login.microsoftonline.com/login.srf

Press F12 (Chrome dev tools) -> Application -> Cookies

Clear all cookies and then add one named x-ms-RefreshTokenCredential for https://login.microsoftonline.com and set its value to that retrieved from AADInternals

Mark HTTPOnly and Secure for the cookie

Visit https://login.microsoftonline.com/login.srf

PreviousUser Data NextEndpoint Manager

Last updated 1 day ago

We can extract PRT by using the below tools in a session of the target Entra ID user

Once we have the PRT cookie, copy the value from previous command and use it with Chrome web browser

Login to Microsoft