Jump to content
Welcome to our new Citrix community!
  • Citrix Workloads in Azure - FAS and Primary Refresh Token (PRT)


    UddaveJajoo22Rnd.png by Uddave Jajoo, Indianapolis CUGC Leader

    Customers are inclining towards migrating their On-Prem AD joined workloads to Azure. With this practice in common, customers often run into issues where the Seamless SSO does not work properly on their hybrid join devices. This blog will guide you through how these configurations impact the device join status in Azure AD and how to effectively make SSO work with the Azure Native provision workloads.

    • What is Primary Refresh Token?
    • Configure FAS in Citrix Cloud
    • Configuration on Azure AD
    • Supported Platforms


    Enterprises are frequently moving from traditionally-based authentication to modern authentication across their applications. That's why app modernization is a technique followed by each and every enterprise nowadays, when planning to migrate their apps to cloud and adapt to the modern authentication protocols.

    Microsoft announced public preview of Azure AD Certificate-Based Authentication in February 2022, which would enable the support for Windows logon and Single Sign-On (SSO) to Azure AD applications and resources. When it comes to sign-in to the user desktops, it could also be utilized as one of the authentication methods by integrating it with FAS. Primary refresh token is one of the key attributes that is being transferred within the user session to enable SSO to Azure AD apps and resources. In a real time scenario, when using on-prem AD, PRT token gets issued based on the device joining status in Azure AD and gets manipulated accordingly within the session. This token is responsible to dictate the authentication state for the user session.

    What is Primary Refresh Token?

    Primary Refresh Token

    A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It is a JSON Web Token (JWT) specially issued to Microsoft first-party token brokers to enable single sign-on (SSO) across the applications used on those devices. In this article, we will provide details on how a PRT is issued, used, and protected on Windows 10 or newer devices.

    Microsoft recommends using the latest versions of Windows 10, Windows 11 and Windows Server 2019+ to get the best SSO experience.

    With the missing PRT token on the user device, it breaks the SSO process for users to connect to any federated enterprise apps/O365 Apps, that are integrated with Azure MFA, which forces them to enter the user ID and credentials every time they connect to the apps.

    To determine the AzureADPRT Token value, run the below command on the client device in a command prompt – dsregcmd /status

    Output – Example on Native Azure MCS provisioned desktop confirming the PRT Token set to YES

    | SSO State |

                AzureAdPrt : YES
      AzureAdPrtUpdateTime : 2022-11-29 19:40:39.000 UTC
      AzureAdPrtExpiryTime : 2022-12-13 19:40:38.000 UTC

    Configure FAS in Citrix Cloud

    Follow the Citrix docs for successful installation and configuration of FAS in your environment. It's a pretty straightforward guide on how to configure FAS and configure to the resource location in Citrix Cloud console.

    Install and Configure FAS

    Install FAS Servers, Point to PKI servers for publishing the User certificates on logon and add to resource location.

    Configuration on Azure AD

    Follow the instructions outlined in the MS guide – Azure Certificated Based Authentication

    • Configure at least one certification authority (CA) and any intermediate certification authorities in Azure Active Directory.
    • The user must have access to a user certificate (issued from a trusted Public Key Infrastructure configured on the tenant) intended for client authentication to authenticate against Azure AD.
    • Each CA should have a certificate revocation list (CRL) that can be referenced from internet-facing URLs. Its needed to ensure Azure AD is able to perform CRL check, otherwise the revocation of user certificates will not work and authentication will not be blocked.
    • Configure the Certificate-based authentication Authentication method in your Azure Active Directory Security menu – Configure the Certificate Authorities in Azure Security Portal
    • Join your clients and your Citrix VDA’s into Azure AD or a hybrid environment (hybrid join).

    Identify the Device Type is Azure AD or Hybrid Join- Reference Table Below: Troubleshoot Devices by DSREGCMD command

    AzureAdJoinedEnterpriseJoinedDomainJoinedDevice state
    YESNONOAzure AD Joined
    NONOYESDomain Joined
    YESNOYESHybrid AD Joined
    NOYESYESOn-premises DRS Joined


    Device State

    Sample Device State Output


    | Device State |


    AzureAdJoined : YES

    EnterpriseJoined : NO

    DomainJoined : YES

    DomainName : HYBRIDADFS


    Supported Platforms

    Before configuring device identities in Azure AD for your VDI environment, familiarize yourself with the supported scenarios. The table below illustrates which provisioning scenarios are supported. Provisioning in this context implies that an administrator can configure device identities at scale without requiring any end-user interaction.

    Note – If your Identity infrastructure is Managed then Non Persistent workloads are not supported with Hybrid Azure AD Joined as Device type. Currently Its only supported with Federated Identity Infrastructure, and Microsoft is still evaluating internally how to make it work successfully with the Managed infrastructure as well.

    Device identity typeIdentity infrastructureWindows devicesVDI platform versionSupported
    Hybrid Azure AD joinedFederated3Windows current and Windows down-levelPersistentYes
    Windows currentNon-PersistentYes
    Windows down-levelNon-PersistentYes
    Managed4Windows current and Windows down-levelPersistentYes
    Windows currentNon-PersistentNo
    Windows down-levelNon-PersistentYes
    Azure AD joinedFederatedWindows currentPersistentLimited
    ManagedWindows currentPersistentLimited
    Azure AD registeredFederated/ManagedWindows current/Windows down-levelPersistent/Non-PersistentNot Applicable






    See more posts by Uddave Jajoo here.


    Not a member of CUGC? Join today so you don't miss out!

    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...