Contact Sales
+1 (614) 423-6718
Support
Blog
Partners
Downloads

Microsoft Entra tenant allowing unsecure token persistence

Home > Threat Directory > Microsoft Entra tenant allowing unsecure token persistence

Microsoft Entra tenant allowing unsecure token persistence

Cayosoft Threat Definition CTD-000041

Table of Contents

Risk Summary
Description
Real-World Scenario
How to Detect (Cayosoft Guardian)
Remediation Steps
How to Prevent It
FAQ
References
Final Thought
Protect Your Active Directory

Tune into Guardians of the Directory Podcast.

Guardians of the Directory
YouTube
Spotify
Apple

Like This Article?​

Subscribe to our LinkedIn Newsletter to receive more educational content

Subscribe now

Risk Summary

Unsecure token persistence enables a stolen Primary Refresh Token (PRT) to be reused, bypassing MFA and Conditional Access and granting ongoing access to tenant resources.

  • Severity: Medium
  • Platform: Entra ID 
  • Category: Account protection, Tenant-wide, Privileged Access Management
  • MITRE ATT&CK Tactics: Credential Access
  • MITRE D3FEND Tactics: Application Configuration Hardening, Credential Transmission Scoping

Description

A Primary Refresh Token (PRT) is a key artifact of Microsoft Entra authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It is a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices. After an administrator logs in on a device, PRT is cached on the client. If a device used by the administrator is left unattended or compromised, a threat actor might be able to extract PRT and use it to access your tenant bypassing MFA.

Cayosoft Guardian Protector™

Real-World Scenario

An attacker compromises an admin workstation via a malicious browser extension, then dumps the device’s token cache to extract a valid PRT. Because browser sessions are persistent and sign-in frequency is lax, the attacker silently exchanges the PRT for fresh access tokens, bypassing MFA and Conditional Access prompts. They enroll a rogue device, create inbox rules for exfiltration, and add an app secret for persistence. Cayosoft Guardian raises CTD-000041 on unsecure token persistence so operators can enforce frequent reauthentication and disable persistent sessions for privileged roles before further abuse.

Stop Privilege Escalation—Then Undo It with Cayosoft Guardian

Real-time alerts across AD & Entra ID with one-click rollback.

See it in action

How to Detect (Cayosoft Guardian)

1.) Sign in to Cayosoft Guardian Threat Detection Dashboard.

2.) View All Alerts and search for CTD-000041 or Microsoft Entra tenant allowing unsecure token persistence.

3.) Open any alert and Click for details (from Raise Threat Alert action).

Remediation Steps

Using the remediation advice in Cayosoft Guardian, follow these steps to remove the vulnerability:

To change sign-in frequency control and browser session persistence for users with administrative permissions:

  1. ) Sign in to the Microsoft Entra admin center as a Global Administrator, Security Administrator, or Conditional Access Administrator.
  2. ) Browse to Protection > Conditional Access.
  3. ) Select Create new policy.
  4. ) Give your policy a name. 
  5. ) In Target resources choose Cloud apps > All cloud apps.
  6. ) In Users choose Select users and groups in Include section.
  7. ) Select Directory roles.
  8. ) Add all administrative roles.
  9. ) Go to Access controls > Session.
  10. ) Select Sign-in frequency.
  11. ) Select Periodic reauthentication.
  12. ) Enter a value of hours, or select Every time.
  13. ) Under Access controls > Session select Persistent browser session.
  14. ) Choose Never persistent.
  15. ) Select On in Enable policy section.
  16. ) Save your policy.

How to Prevent It

  • Apply Conditional Access session controls to all administrative directory roles: short Sign-in frequency and Never persistent browser sessions.
  • Require compliant or hybrid-joined devices for admin access; enforce hardening and screen lock on privileged workstations.
  • Use PIM for just-in-time activation of admin roles; avoid standing privileges.
  • Monitor for policy drift with Cayosoft Guardian and review sign-in logs for unusual token refresh patterns.

FAQ

It is a configuration where administrators can maintain persistent browser sessions or infrequent reauthentication. This makes a stolen Primary Refresh Token (PRT) more valuable, since attackers can reuse it to access tenant resources while bypassing MFA and Conditional Access.

If attackers extract a PRT from a compromised admin device, they can continuously refresh access tokens without being challenged by MFA or reauthentication. This enables long-term unauthorized access, device enrollment, or creation of persistence mechanisms such as app secrets.

By monitoring with tools like Cayosoft Guardian or Microsoft Entra sign-in logs. Indicators include persistent sessions, infrequent reauthentication for privileged roles, and unusual token refresh activity across admin accounts.

References

  • Microsoft Entra admin center: https://entra.microsoft.com/

Final Thought

Proactive monitoring and timely remediation of configuration risks is essential to maintaining a secure Active Directory and Microsoft 365 environment. By addressing issues like Microsoft Entra tenant allowing unsecure token persistence, you reduce attack surfaces and strengthen your organization’s overall security posture.

Tagged