Seamless SSO vs PRT: In modern IT environments, Single Sign-On (SSO) is essential for improving user experience while maintaining security. Organizations using Microsoft Entra ID (Azure AD) in hybrid mode with on-prem Active Directory (AD) often rely on two key authentication methods:
✅ Seamless SSO (based on Kerberos /TGT)
✅ SSO based on Primary Refresh Token (PRT)
Both enable SSO authentication, but they work differently depending on device type, network conditions, and OS versions.
Let’s explore the differences, compatibility with Windows OS versions, use cases, and best practices to help IT professionals optimize authentication workflows.
What is Seamless SSO?
Definition
Seamless SSO allows users to authenticate to Microsoft Entra ID-integrated cloud applications without re-entering their credentials when they are on a corporate network or VPN. It leverages Kerberos authentication from on-prem AD.
How It Works
When a user logs into a domain-joined Windows machine and tries to access a cloud-based app (e.g., Microsoft 365, Entra-integrated SaaS apps), the authentication follows this process:
1️⃣ The user accesses a cloud application (e.g., Microsoft 365).
2️⃣ The app redirects the user to Microsoft Entra ID for authentication.
3️⃣ Microsoft Entra ID checks if Seamless SSO is enabled.
4️⃣ The user’s browser sends a Kerberos ticket to Microsoft Entra ID instead of a password.
5️⃣ Microsoft Entra ID verifies the Kerberos ticket against the local Active Directory domain controllers.
6️⃣ If valid, the user is authenticated without entering a password.
Note: This method only works when users are on the corporate network or connected via VPN.
Pre-requisites for Seamless SSO
✅ Hybrid environment (On-prem AD + Entra ID sync)
✅ Entra Connect Sync enabled
✅ Entra Seamless SSO feature enabled
✅ Domain-joined (not Azure AD-joined) Windows devices
Key Benefits of Seamless SSO
✅ No need for password re-entry after signing into a domain-joined machine.
✅ Uses Kerberos authentication, ensuring security.
✅ Works well in Hybrid AD environments.
Limitations of Seamless SSO
❌ Only works with on-premises AD domain-joined devices.
❌ Requires line-of-sight to a domain controller.
❌ Does not work for non-domain-joined or personal devices.
❌ Works only on corporate network or VPN.
Use Cases for Seamless SSO
✔️ Best for corporate environments with on-prem AD
✔️ Ideal for users who are always on the corporate network or connect via VPN
✔️ Organisations still using legacy Windows OS versions for end users.
Windows OS Compatibility for Seamless SSO
| Windows Version | Supported? | Requirements |
|---|---|---|
| Windows 11 | ✅ Yes | Must be domain-joined (Hybrid AD-joined or On-prem AD-joined) |
| Windows 10 | ✅ Yes | Must be domain-joined (Hybrid AD-joined or On-prem AD-joined) |
| Windows 8.1 | ✅ Yes | Must be domain-joined |
| Windows 7 | ✅ Yes (Limited Support) | Requires Extended Security Updates (ESU) and domain-joined configuration |
| Windows 8 | ❌ No | Not supported |
What is SSO via Primary Refresh Token (PRT)?
Definition
SSO via Primary Refresh Token (PRT) is a cloud-first authentication mechanism that works on Azure AD-joined or Hybrid AD-joined devices. It enables single sign-in to Microsoft Entra ID-based apps without requiring direct communication with an on-prem AD. Unlike Seamless SSO, which depends on Kerberos, PRT relies on modern authentication (OAuth 2.0 and OIDC).
How It Works
It enables seamless access to both cloud and on-prem applications without re-entering credentials. The authentication process is as follows:
1️⃣ The user logs into a Windows 10/11 device with Entra ID integration.
2️⃣ The device authenticates against Entra ID and obtains a Primary Refresh Token (PRT).
3️⃣ When accessing cloud apps, the PRT is used instead of passwords for authentication.
4️⃣ When accessing cloud apps, the PRT is used for authentication instead of providing credentials again. The PRT contains an encrypted session key, allowing automatic sign-in.
5️⃣ PRT can include MFA claims to avoid repeated prompts if MFA is required. PRT is automatically refreshed every 4 hours or when needed.
Note: PRT-based authentication doesn’t require on-prem AD connectivity. It works from anywhere! 🌍
Pre-requisites for SSO via PRT
✅ Windows 10/11 devices (Azure AD-joined or Hybrid AD-joined)
✅ Microsoft Entra ID PRT issued on login
✅ Internet connectivity for token refresh
Key Benefits of SSO via PRT
✅ Works for both on-premises and cloud applications.
✅ No dependency on on-premises domain controllers.
✅ Supports Windows 10/11, macOS, iOS, and Android.
✅ Reduces password fatigue for users. (even outside of the corporate network)
Limitations of SSO via PRT
❌ Requires a Microsoft Entra-joined or Hybrid-joined device.
❌ Older OS versions (Windows 8 or lower) do not support PRT.
Use Cases for SSO via PRT
✔️ Best for remote workers using cloud-based apps
✔️ Ideal for organizations migrating away from on-prem AD
✔️ Works for hybrid environments with minimal dependency on corporate networks
Windows OS Compatibility for SSO via PRT
| Windows Version | Supported? | Requirement |
|---|---|---|
| Windows 11 | ✅ Yes | Entra ID joined or Hybrid joined |
| Windows 10 | ✅ Yes | Entra ID joined or Hybrid joined |
| Windows 8.1 | ❌ No | PRT is not supported |
| Windows 8 or lower | ❌ No | PRT is not supported |
Comparison – Seamless SSO vs. SSO via PRT
| Feature | Seamless SSO (Kerberos-based) | SSO via PRT (Cloud-based) |
|---|---|---|
| Authentication Type | Uses Kerberos from on-prem AD | Uses PRT from Microsoft Entra ID |
| Works On | Domain-joined devices (Windows 7/8.1/10/11) | Entra ID joined & Hybrid-joined devices (Windows 10/11) |
| Network Dependency | Requires corporate network or VPN | Works from anywhere (Internet-based) |
| Use Case | On-prem & hybrid environments | Cloud-first & hybrid environments |
| Best for | Organizations with legacy OS and AD-based apps | Companies moving to full cloud authentication |
| Device Requirement | Windows 7/8.1/10/11 (domain-joined) | Windows 10/11 (Entra ID joined or Hybrid) |
| Credential Prompts | Not in the corporate network or VPN | No prompt for credentials as long as PRT is alive |
How to Identify If a User is Using Kerberos or PRT?
Windows 8 or lower versions can not use PRT for SSO as they do not support modern authentication. Windows 10 or later versions can use both – seamless SSO or PRT based on how the device is configured (AD joined or AAD /HAAD joined).
Checking Kerberos (Seamless SSO):
1️⃣ Open Developer Tools in a browser (F12 in Edge/Chrome).
2️⃣ Navigate to the Network tab and find login.microsoftonline.com.
3️⃣ Look for Kerberos in the authentication headers.
Checking PRT (SSO via PRT):
1️⃣ Open Command Prompt (CMD).
2️⃣ Run: dsregcmd /status
3️⃣ Look for: AzureADPrt = YES (Indicates authentication via PRT).
Final Thoughts – Choosing the Right SSO Method
Choosing the right Single Sign-On (SSO) method depends on multiple factors, including Windows OS version, device state (hybrid-joined, cloud-only, domain-joined), authentication protocol support, and security requirements. Let’s summarize the best SSO method for different scenarios.
| Scenario | Recommended SSO |
|---|---|
| Users accessing the apps from a corporate network /VPN using AD-Joined Devices (Windows 7, 8.1, 10, and 11) | Seamless SSO (Kerberos) |
| Remote users accessing cloud apps using Entra ID Joined or Hybrid Joined Devices (Windows 10 /11) | SSO via PRT |
Key Takeaways
- Windows 8 lacks Seamless SSO support due to authentication model changes.
- Windows 7 can still work with Seamless SSO if domain-joined but lacks PRT-based authentication.
- Windows 10/11 are best suited for modern authentication with PRT-based SSO.
- Hybrid organizations can use Seamless SSO with PTA or PHS for a smooth experience.
- For a cloud-first approach, PRT-based SSO is the best option.
Final Recommendation: If your organization still has Windows 7 or 8 devices, you should plan for an upgrade to Windows 10/11 for full SSO compatibility with modern authentication solutions like SSO via PRT.