Reputation: 11
How do I intercept the winlogon process and fetch a Azure AD Access Token?
I have a small application which was performing single sign on for logged in Windows Users by implementing my own Credential Provider and intercepting the Logon process and grabbing hold of the credentials. However it appears that with Azure AD login in a non-Hybrid case, grabbing credentials alone may not be the right thing.
Going by the blogs, here and here on this subject, it appears to be the case that in the case of Azure Login, the WinLogon process follows an OAuth workflow talking to Azure AD, using the PRT obtained during AAD Join and obtains an Access Token.
Currently the only way that I could find to get hold of this token is to use WebAuthenticationCoreManager . However I am a background process and my way of getting notified during the Logon Process was using the Credential Provider. To use WebAuthenticationCoreManager API I need to be a Universal Windows App.
How can i implement Single Sign on for my Application, upon Windows Login by an Azure User on a Win10 AAD joined device, using the Access Token issued for the logged in Azure User ?
Upvotes: 0
Views: 643
Answers (1)
Reputation: 5167
• Winlogon process cannot be intercepted in Windows 10 AAD joined device because when a user signs in a device joined with or registered with AAD, a PRT (Primary Refresh Token) is generated which is an opaque blob sent from Azure AD whose contents are not known to any client components. You cannot see what’s inside a PRT.
• Also, a PRT contains claims generally contained in any Azure AD refresh token along with the device ID and a session key where device ID is used to determine authorization for Conditional Access based on device state or compliance and session key acts as the proof of possession when a PRT is used to obtain tokens for other applications.
• Please find the below token issuance flow during sign in process which clearly shows that token issued by Azure AD is verified by the CloudAP or local security authority based on the device certificate or trusted authentication protocols wherein it is saved as cache.
• However, you can add your app as a generic app in Azure AD for the SSO to be configured and used with it.
Please find the below links for more information: -
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token
Upvotes: 0
Related Questions
- Azure active directory - Get access token using Azure CLI
- Get Azure Active Directory Token with username and password
- Obtaining Azure token from WinLogon
- Get Access Token from Azure Active Directory using username and password
- C# Get Access Token for Azure AD Identity
- How to get access token from Azure AD for TokenCredentials?
- How to use azure AD access token to bypass microsoft online login?
- Obtain Azure Access Token
- Get Azure Active Directory Access Token from Powershell
- Getting Access Token from Azure AD without user credentials