The Primary Refresh Token (PRT) is a feature in Windows 10 and later versions that is used to obtain access tokens for resources, providing seamless single sign-on (SSO) experiences for users. By nature this PRT token can authenticate the user once they logged in to windows and causing it to bypass the Beyond Identity authentication.
PRTs are managed by the operating system and are not directly configurable by end-users or administrators. However, you can manage some of the aspects related to PRT lifetimes through Azure Active Directory (Azure AD) settings.
To set the timeout of the Primary Refresh Token indirectly, you need to configure the token lifetimes policy in Azure AD. Here's how to do that using Azure AD PowerShell:
First, ensure you have the AzureAD or AzureADPreview PowerShell module installed. If you don't have it installed, you can run one of these commands:
Install-Module -Name AzureADor
Install-Module -Name AzureADPreviewConnect to your Azure AD tenant by running:
Connect-AzureADYou will be prompted to enter your Azure AD credentials.
Create a new policy for token lifetimes using the New-AzureADPolicy command. You can specify the PRT lifetime in minutes using the -Definition parameter. For example, to set a PRT lifetime of 8 hours (480 minutes), use the following command:
New-AzureADPolicy -DisplayName "PRTLifetimePolicy" -Type "TokenLifetimePolicy" -Definition '{"TokenLifetimePolicy":{"Version":1,"MaxAgeSingleFactor":"8:00"}}'Apply the policy to the organization or specific service principals (applications) by running the Add-AzureADPolicyAppliedObject command. To apply the policy to the entire organization, use:
$policy = Get-AzureADPolicy -Filter "DisplayName eq 'PRTLifetimePolicy'" Add-AzureADPolicyAppliedObject -Id $policy.Id -RefObjectId (Get-AzureADDirectorySetting).Id
Please note that modifying token lifetimes can have security implications and may affect the user experience. Make sure to test your changes in a non-production environment before applying them to your organization.