Windows has some cleaver ways to handle SSO in combination with Azure AD. They use this so called Primary Refresh Token. These highly sensitive key materials, are usually stored in the systems TPM (trusted platform module), a hardware device that can protect keys. And are “unlocked” when the user logs in. A post, by Lee Christensen and the accompanying RequestAADRefreshToken source, inspired me to check out what he had found.
