This article will address the limitations of Primary Refresh Tokens (PRT) and the recommended solutions for Okta users encountering issues with legacy authentication protocols.

For Microsoft's recommendations on troubleshooting PRT issues, refer to the Microsoft Entra documentation - Microsoft Documentation - Troubleshoot Microsoft Entra hybrid joined devices.

• Issues with Primary Refresh Tokens (PRT)
• Legacy Authentication Protocols 
• Windows 10 or newer
• PC Login

Primary Refresh Tokens (PRT) rely on the WINLOGON service, a component of Microsoft's authentication architecture. Notably, Entra ID Conditional Access policies do not come into play during the PRT issuance process, which constitutes a limitation impeding the implementation of Multi-Factor Authentication (MFA). Consequently, any issues related to PRT tokens fall under Microsoft's purview, placing them outside Okta's control.

If experiencing issues with PRT, please contact Microsoft Support for assistance. Okta recommends setting up an App-Level Sign-on Policy that allows only select Custom User Agents for Entra Hybrid-joined machines.

NOTE: PRT is subject to limitations that may affect the preferred authentication method.

Related References

• Microsoft Documentation - What is a Primary Refresh Token?
• Microsoft Documentation - Troubleshoot Microsoft Entra hybrid joined devices
• Okta OIE Documentation - Configure O365 Sign-on Rules
• Sign-On Policy Deny Events in Okta After Federating O365 App