--- title: Accept Azure Primary Refresh Tokens description: Primary Refresh Tokens (PRTs) are issued by Microsoft Entra to enable single sign-on (SSO) when Entra is your identity provider (IdP). PRTs are issued and verified only by Entra, and don't allow for offline verification. Learn more about PRTs in Understanding Primary Refresh Token in the Microsoft documentation. component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_accept_azure_prt canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_accept_azure_prt.html revdate: April 29, 2026 section_ids: before-you-begin: Before you begin register-an-application-in-microsoft-entra: Register an application in Microsoft Entra create-an-oidc-idp-connection-in-pingfederate: Create an OIDC IdP Connection in PingFederate configure-browsers-to-accept-prts: Configure browsers to accept PRTs --- # Accept Azure Primary Refresh Tokens Primary Refresh Tokens (PRTs) are issued by Microsoft Entra to enable single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* when Entra is your identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)*. PRTs are issued and verified only by Entra, and don't allow for offline verification. Learn more about PRTs in [Understanding Primary Refresh Token](https://learn.microsoft.com/en-us/entra/identity/devices/concept-primary-refresh-token) in the Microsoft documentation. You can configure PingFederate to accept PRTs for workforce users by creating an OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* IdP connection, with Entra as an external IdP. This configuration has three main components: 1. Register an application in Microsoft Entra. 2. Create an IdP connection in PingFederate. 3. Configure user browsers to accept PRTs. ## Before you begin For testing purposes, you should have a device connected to Entra as a joined device. Learn more in [Microsoft Entra joined devices](https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join) in the Microsoft documentation. You can test whether your device is joined by running `dsregcmd /status` in the command line. If your device is joined, it returns: ```shell isDeviceJoined: YES AzureAdPrt: YES ``` ## Register an application in Microsoft Entra Follow the steps in [Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/graph/auth-register-app-v2) in the Microsoft documentation. While registering an application, do the following so you can connect to PingFederate: * Create a client secret and have it ready to copy into PingFederate. * Add a redirect URI from PingFederate. You can find the Redirect URI in PingFederate on the **Summary & Activation** tab after you finish configuring the IdP connection. ## Create an OIDC IdP Connection in PingFederate 1. Follow the steps in [Creating an OpenID Connect IdP connection](pf_creating_oidc_idp_connection.html). While creating the connection, do the following to connect with your Entra application: * On the **General Info** tab, paste the **Client ID** and **Client Secret** values from your application. * On the **OpenID Provider Info** tab, add the following request parameter: | Name | Type | Value | | -------- | ------ | ------ | | `prompt` | `text` | `none` | This prevents Entra from displaying the Microsoft sign-on page when PRT authorization fails. 2. If necessary, create an authentication policy for the new IdP connection. Learn more in [Defining authentication policies](pf_defining_auth_policies.html). ## Configure browsers to accept PRTs The following table describes how to enable PRT authentication in various browsers: | Browser | Compatibility | How to Enable | | ------------------ | ---------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Chrome 111+ | Device-based Conditional Access | Enable the [CloudAPAuthEnabled](https://chromeenterprise.google/policies/#CloudAPAuthEnabled) registry | | Firefox 91+ | Device-based Conditional Access | 1. In the address bar, enter `about:preferences#privacy`. 2. Under the **Passwords** section, select **Allow Windows single sign-on for Microsoft, work, and school accounts**. | | Microsoft Edge 85+ | | User must be signed on to the browser to pass device identity. This sign-on might not happen automatically if the device is a hybrid join. | | Safari | Device-based Conditional Access. Can't satisfy the **Require approved client app** or **Require app protection** conditions. | No action needed | Learn more about [Conditional Access](https://learn.microsoft.com/en-us/entra/identity/conditional-access/) in the Microsoft documentation. After configuring your browser, you can test the connection by triggering an authentication flow on the joined device. Check the `audit.log` file to verify that authentication at the IdP connection succeeds.