Azure Active Directory – Seamless Single Sign On and Primary Refresh Token (PRT)
With Azure AD Connect, you can synchronize on-premises Active Directory objects to Office 365 and Azure AD. Therefore users can use their on-premises credentials to authenticate against Office 365 and Azure.
If you also want to support single sign-on to those users, so that they don’t need to enter their credentials each time when accessing resources in Office 365 or Azure, you can achieve this with three different options.
- Seamless SSO (Password Hash Synchronization or Pass-through Authentication)
- Primary Refresh Token (PRT)
- AD FS Federation
As Seamless SSO is only used for Windows 7 and 8.1 domain-joined devices, I will set the focus on the Primary Refresh Token (PRT) for Windows 10 devices.
Windows 10 devices, either Azure AD joined, Hybrid Azure AD joined or Azure AD registered, works based on the Primary Refresh Token (PRT)
What is Azure Active Directory Seamless Single Sign-On?
Azure Active Directory Seamless Single Sign-On
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don’t need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components.
Seamless SSO can be combined with either the Password Hash Synchronization or Pass-through Authentication sign-in methods. Seamless SSO is not applicable to Active Directory Federation Services (ADFS).
SSO via primary refresh token vs. Seamless SSO
For Windows 10, Windows Server 2016 and later versions, it’s recommended to use SSO via primary refresh token (PRT).
For windows 7 and 8.1 it’s recommended to use Seamless SSO. Seamless SSO needs the user’s device to be domain-joined, but it is not used on Windows 10 Azure AD joined devices or hybrid Azure AD joined devices. SSO on Azure AD joined, Hybrid Azure AD joined, and Azure AD registered devices works based on the Primary Refresh Token (PRT)
SSO via PRT works once devices are registered with Azure AD for hybrid Azure AD joined, Azure AD joined or personal registered devices via Add Work or School Account. For more information on how SSO works with Windows 10 using PRT, see: Primary Refresh Token (PRT) and Azure AD
Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso#sso-via-primary-refresh-token-vs-seamless-sso
Seamless Single Sign-On: Technical deep dive
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-how-it-works#how-does-seamless-sso-work
Differences between the single sign-on experience for PRT and Seamless SSO?
Azure AD Join, Hybrid Azure AD join and Azure AD registered provides SSO to users if their devices are registered with Azure AD. These devices don’t necessarily have to be domain-joined. SSO is provided using primary refresh tokens or PRTs, and not Kerberos. The user experience is most optimal on Windows 10 devices. SSO happens automatically on the Microsoft Edge browser. It also works on Chrome with the use of a browser extension.
You can use both registered with Azure AD and Seamless SSO on your tenant. These two features are complementary. If both features are turned on, then SSO via PRT takes precedence over Seamless SSO.
Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-faq
Here Microsoft only speaks about Azure AD join, but it is also true for Hybrid Azure AD join and Azure AD registered or generally for devices registered with Azure AD. Therefore the text above is adjusted on my part.
Enable Seamless Single Sign-On
Azure Active Directory Seamless Single Sign-On: Quickstart
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-star
Enable Seamless SSO through Azure AD Connect.
The option will be available for selection only if the Sign On method is Password Hash Synchronization or Pass-through Authentication.

You can verify if you have enabled Seamless SSO correctly through the Azure Portal under Azure Active Directory -> Azure AD Connect -> USER SIGN-IN

Seamless SSO creates a computer account named AZUREADSSOACC in your on-premises Active Directory (AD) in each AD forest. The AZUREADSSOACC computer account needs to be strongly protected for security reasons. Only Domain Admins should be able to manage the computer account. Ensure that Kerberos delegation on the computer account is disabled, and that no other account in Active Directory has delegation permissions on the AZUREADSSOACC computer account. Store the computer account in an Organization Unit (OU) where they are safe from accidental deletions and where only Domain Admins have access.
Add the following Trusted Sites as Intranet Zone
autologon.microsoftazuread-sso.com
aadg.windows.net.nsatc.net
In addition, you need to enable an Intranet zone policy setting called Allow updates to status bar via script through Group Policy.
Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start#group-policy-option—detailed-steps
What is a Primary Refresh Token?
A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10, Windows Server 2016 and later versions, iOS, and Android devices. It is a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices. In this article, we will provide details on how a PRT is issued, used, and protected on Windows 10 devices.
This article assumes that you already understand the different device states available in Azure AD and how single sign-on works in Windows 10. For more information about devices in Azure AD, see the article What is device management in Azure Active Directory?
Source: https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
More about Primary Refresh Token (PRT) you will find in my following post.
OAuth 2.0 and OpenID Connect – Tokens
Microsoft identity platform ID tokens
https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens
Microsoft identity platform access tokens
https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
Microsoft identity platform refresh tokens
https://docs.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
More about OAuth 2.0 and OpenID Connect you will also find in my following post.
Links
Azure Active Directory Seamless Single Sign-On
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
How does Seamless SSO work?
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-how-it-works#how-does-seamless-sso-work
Azure Active Directory Seamless Single Sign-On: Quickstart
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
What is a Primary Refresh Token?
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token