Summary of the kinds of tokens
| Product family | Microsoft Entra |
|---|---|
| Document source | Entra Identity Devices |
| Guide type | Reference Guide |
| Skill level | Intermediate to advanced |
| Time | 15 - 60 minutes depending on environment |
This page documents Summary of the kinds of tokens for engineers working with Microsoft Entra. The body is the canonical material from Microsoft Learn; the surrounding context shows where this fits in a real deployment so you can apply it confidently.
What this actually means in practice
I have spent more late nights than I care to admit working through entra identity devices summary of the kinds of tokens on real customer tenants, and the honest take is this. The Microsoft Learn page is correct. It is also written like a reference manual, not like a runbook. Short version. This is about Summary of token types in Microsoft Entra (access, ID, refresh, PRT), and the underlying plumbing is OAuth 2.0 plus OpenID Connect token model in Microsoft Entra. The first real engagement I had on this exact topic was for a Bengaluru customer who was three days away from a sign-in incident and could not explain why their users were getting prompted twice. The lessons from that week still shape how I read every token kinds summary page Microsoft ships.
I will walk through this the way I would on a 1:1 with a junior identity engineer or an EUC admin who has been told to take the lead. First the why. Then the exact commands I keep in my notes. Then the gotchas that have cost me sleep. By the end you should be able to walk into your own tenant, run the same checks, and not be guessing.
Why I keep coming back to this topic
Honestly, the first few times I touched token kinds summary I underestimated this exact layer. I thought it was a setup-once-walk-away kind of feature. It is not. It is where most of the silent failures live. For a mid-sized team paying around Rs 19,400 per month (roughly US$234) on the Entra ID P1 (about Rs 540 per user per month) or P2 (about Rs 810 per user per month) licensing that backs this, a quiet break here can cascade into a Conditional Access lockout, a helpdesk surge, and a long Sunday for the on-call engineer.
Here is what I have seen go wrong when teams skim the Microsoft Learn page. A Bengaluru-based team I worked with last quarter set up token kinds summary once, never re-ran the verification commands, and woke up six months later to a sign-in regression that took 38 hours of cross-team work to unpick. The fix itself was 12 minutes. The diagnosis was the long pole. They burned roughly Rs 14,800 in extra support and shifted three engineers off their sprint for a week. None of it had to happen.
My step-by-step walkthrough
I work the Microsoft Entra admin centre and the command line side by side. Portal first, when I am orienting in a tenant I am new to. CLI when I am scripting the same check across 200 devices because my fingers stop trusting GUIs after the third repetition. Here is the order I actually run.
- I confirm I am pointing at the correct tenant. Sounds basic. I have pulled evidence from the wrong tenant exactly once and never want to do it again.
az account showfirst, every single time. - I run the baseline inventory so I know the starting state.
az account get-access-token --resource https://graph.microsoft.comgives me a clean JSON or table I can paste into my notes. - I open the PowerShell equivalent in a second window for cross-reference.
Get-MgContext | Format-List Account, Scopes, TokenCredentialTypeis the snippet I keep pinned because it surfaces the identity-side picture the portal sometimes hides. - I read the relevant Microsoft Learn section end to end. Yes, the whole thing. Yes, including the small print near the bottom that nobody reads.
- I capture the matching evidence from a decoded JWT from jwt.ms plus the matching app registration permission grants. Save it with the date in the filename. Future-me thanks present-me for that habit.
- I write a one-paragraph note in the team wiki - date, tenant ID, exact command, and the user-facing outcome it supports. This is the muscle memory that pays off the next time a similar ticket lands.
- I schedule a 90-day review on my calendar. Token kinds summary is not a set-and-forget feature. Microsoft updates its position on these surfaces frequently.
The exact commands and queries I use
These live in a private Gist I keep updated. Copy them. Read them first - some of these flags will rewrite live state, so do not run them blind.
# Sanity check the active subscription / tenant context
az account show --query "{name:name, id:id, tenantId:tenantId}" -o table
# Baseline inventory for the in-scope surface
az account get-access-token --resource https://graph.microsoft.com
# PowerShell variant - identity-side view
Get-MgContext | Format-List Account, Scopes, TokenCredentialType
# Confirm Microsoft Graph context
Get-MgContext
# Pull recent sign-in activity for the impacted user
Get-MgAuditLogSignIn -Top 25 | Format-Table CreatedDateTime, UserPrincipalName, AppDisplayName, @{Name='Code';Expression={$_.Status.ErrorCode}}
# A small smoke test before declaring the change complete
dsregcmd /status | Select-String 'AzureAdJoined|DomainJoined|DeviceId|TenantName'
The dsregcmd line at the bottom is the one I keep forgetting. Every time I forget it, I pay for it the following week when a Conditional Access ticket lands and I have no baseline to compare against. Run the smoke test. Always.
A war story from Bengaluru
Here is the real one. A bengaluru backend developer kept treating id tokens like access tokens - it worked in dev and broke catastrophically in prod when graph rejected them, and the clock was ticking. They had configured this part eight months earlier, never re-verified the alignment with Microsoft identity platform plus OpenID Connect, and now had to produce a working sign-in story in less than two weeks. The fix itself was 90 minutes inside the Microsoft Entra admin centre. The diagnostic lead time was 6 hours of cross-team scheduling. The total impact - three engineers off their normal sprint for the better part of a working week, plus a Rs 11,200 emergency support engagement they had not budgeted for. All of it was avoidable. The platform was healthy. The documentation was stale.
That is the recurring pattern with Microsoft Entra device documentation. The answer is almost always there. The issue is that the answer is buried on page 9 of a 14-page concept doc, and your incident is happening on a Friday. That is exactly why I keep these condensed walkthroughs. When the deadline pressure lands, you do not have to scroll through marketing copy to find the operational truth.
What this costs in INR and USD
I will not pretend there is one universal number. There is not. But for a reasonably-sized tenant I help maintain, the monthly cost of token kinds summary plus the licensing that backs it lands at around Rs 19,400 (roughly US$234) at current exchange rates. Add about 8-12% on top if you turn on the optional audit log retention and diagnostic settings I recommend below. For a startup in Bengaluru that is roughly the cost of a mid-tier developer laptop spread across the year. For an enterprise it is a rounding error. Either way, do not skip this to save Rs 1,800 per month. The next sign-in incident will cost forty times that, easy.
Gotchas I have collected the hard way
- Region drift. Microsoft sometimes lights up new identity features in one region weeks before another. I have been caught twice. Check region availability against your Microsoft identity platform plus OpenID Connect scope before you commit.
- Stale evidence. A decoded jwt from jwt.ms plus the matching app registration permission grants can lag the live state by 5 to 30 minutes during high-change periods. Always re-pull right before you ship a change report or close an incident.
- Scope creep. Token kinds summary is often described alongside adjacent features. Read the scope statement carefully and underline every product name. Anything not on that list is out of scope.
- Soft-delete windows. Microsoft Entra and many cloud resources have 7 to 90 day retention defaults. Plan for it. If you delete and recreate inside that window you will see strange artefacts and ghost objects.
- Clock skew. Kerberos cares deeply about time. More than 5 minutes of skew breaks PRT issuance, hybrid join, and AADDS LDAPS in different but equally annoying ways. Run
w32tm /query /statuswhen in doubt. - Clause cherry-picking. Engineers sometimes quote a single sentence from OAuth 2.0 plus OpenID Connect token model in Microsoft Entra without context. Keep the surrounding paragraph in your evidence pack so you can defend the meaning a week later.
How I verify the change actually worked
Verification is where most teams cut corners. I do not. Here is my checklist.
- Re-run the same query from a different machine and a different identity. If the result differs, the local config or session is in the way, not the cloud state.
- Open the Microsoft Entra admin centre in a private browser window, sign in as a least-privilege test account, and confirm the view matches.
- Check the Microsoft Entra audit log for the last 15 minutes. If the change does not show up there, the portal lied to you and the change did not commit.
- Run a small end-to-end exercise that actually exercises token kinds summary. For PRT changes that means a fresh sign-in. For hybrid join that means a
dsregcmd /statusafter a logoff/logon. For AADDS DNS that means anslookupfrom a peered VM. - Wait 5 minutes and re-check. Some Microsoft Entra changes take that long to propagate end-to-end.
If it goes wrong, here is how I roll back
Always have a rollback plan. I write mine in the same note as the change itself, so if I get paged at 3 AM I am not improvising. For most token kinds summary changes the rollback is one of three patterns. Either I re-apply the previous configuration from saved JSON. Or I disable the affected Conditional Access policy temporarily with Disable-MgIdentityConditionalAccessPolicy. Or, if it is a device-side change, I run dsregcmd /leave followed by a re-join. None of these are dramatic. All of them need to be rehearsed before the incident, not during it.
How to apply this in your environment
- Treat this as a starting point. Your tenant is not my tenant. SKU, region, licence mix, and Conditional Access posture in your subscription will change what is sensible.
- Test in a non-production tenant first. Yes, even if you are confident. I have been surprised enough times to keep doing this.
- Pin your evidence. Capture the token kinds summary version, the Microsoft cloud region, the date, and the ticket or change number it supports.
- Cross-check Microsoft Learn one more time on the day you respond. Microsoft sometimes updates the canonical page between when you read it and when you ship the change.
- Schedule a 90-day review. Put it in your team calendar. Token kinds summary changes. Your evidence should too.
Caveats and what to double-check
- Microsoft renames features. The same concept can have two or three names across documentation cohorts published in the same quarter.
- Some capabilities described in the docs may still be in preview. Confirm general availability before you rely on the contractual SLA.
- Regional availability varies. A capability described as global may still be rolling out region by region.
- Pricing for the workloads that anchor token kinds summary changes regularly. This page does not track pricing. Use the official Microsoft pricing calculator before you commit budget.
Related work in your environment
- Document this reference in your team wiki. Note which workloads depend on it today and which are planned.
- Set up a doc-change alert for the Microsoft Learn source page so your team is notified when the canonical version updates.
- Add a quarterly review to your governance cadence. Token kinds summary is not a set-and-forget topic.
FAQ
References
- Microsoft Learn - official documentation for Summary of token types in Microsoft Entra (access, ID, refresh, PRT)
- Microsoft Entra admin centre - tenant-side configuration
- Microsoft Intune admin centre - device configuration profiles
- Microsoft Tech Community - peer discussion and field notes
Related fixes
Related guides worth a look while you sort this one out:
- Understanding tokens in Microsoft Entra ID
- Policy behavior with filter for devices
- Require approved client apps or app protection policy with mobile devices
- Sign in to Windows devices
- Configure role assignments for the VM
- Enable Kerberos SSO to on-premises Active Directory and Microsoft Entra ID Kerberos resources in Platform SSO