Citrix FAS – Azure AD CBA with Primary Refresh Token (PRT)

Reading Time: 3 minutes


There are several discussions about the missing Primary Refresh Token (PRT) in the User’s Citrix Session when using SAML / oAuth with Azure AD and Citrix FAS – as using Smartcard to authenticate is missing the User’s credentials, so there’s no way to issue a PRT.

What is a Primary Refresh Token?

A Primary Refresh Token (PRT) is a key artifact of Azure AD authentication on Windows 10 or newer, Windows Server 2016 and later versions, iOS, and Android devices. It is a JSON Web Token (JWT) specially issued to Microsoft first party token brokers to enable single sign-on (SSO) across the applications used on those devices.

Microsoft recommends using the latest versions of Windows 10, Windows 11 and Windows Server 2019+ to get the best SSO experience.

So, missing SSO to Microsoft / 365 / Enterprise Applications is the consequence when using Azure AD as IdP with Citrix FAS.

So what’s new here with this post? There’s one important note in Azure AD’s certificate-based authentication documentation “Users will get a primary refresh token (PRT) from Azure Active Directory after the successful login and depending on the Certificate-based authentication configuration, the PRT will contain the multifactor claim.” Also, it eliminates the need for federated ADFS and reduces the cost and on-premises footprint. It’s a free feature, and you don’t need any paid editions of Azure AD to use it.

And that’s what I’m talking about in this post. Gain SSO into all further Applications with a PRT, which is created from the certificate-based login from Azure AD.

CTA Marco Klose recently tested and confirmed the successful PRT creation:

Configuration Azure AD

The configuration isn’t that complicated and there are step-by-step guides on MS Docs.

  • You have to make sure to upload your at least one certification authority (CA) and any intermediate certification authorities in Azure Active Directory.
  • The user must have access to a user certificate (issued from a trusted Public Key Infrastructure configured on the tenant) intended for client authentication to authenticate against Azure AD.
  • Each CA should have a certificate revocation list (CRL) that can be referenced from internet-facing URLs, so Azure AD is able to perform CRL checking, otherwise the revocation of user certificates will not work and authentication will not be blocked.
  • Configure the Certificate-based authentication Authentication method in your Azure Active Directory Security menu.
  • Join your clients and your Citrix VDA’s into Azure AD or a hybrid environment (hybrid join).

After enabling certificate-based authentication, the new sign-in method appears and is selectable by users.

CBA auth sign-in method

Configuration Citrix FAS

Long term short, there is no special configuration on Citrix FAS needed. Just configure your FAS servers as default, connect to your PKI and publish certificates for User logon.


At the moment, there are some limitations which you have to remember of. This post gets updated, as soon as there are new enhancements.

  • Azure AD CBA is still in public preview.
  • It only works with Windows 11 22H2 build as VDI.
  • Microsoft is working to backport the functionality to Windows 10 and Windows Server OS – there is no ETA yet.
  • Currently, password can’t be disabled when CBA is enabled and the option to sign in using a password is displayed.
  • There is a double prompt for iOS because iOS only supports pushing certificates to a device storage. When an organization pushes user certificates to an iOS device through Mobile Device Management (MDM) or when a user accesses first-party or native apps, there is no access to device storage. Only Safari can access device storage.

Leave a Reply

Your email address will not be published.