The following is the workflow of SSO to Azure applications from a Azure AD joined device:
The device sends a Kerberos token to Access Manager through the WS-Trust protocol.
The device generates a certificate signing certificate (CSR) and sends it to Azure DRS and gets signed a certificate for that device.
The device generates a second certificate to use with the Primary Refresh Token (PRT) by using user credentials.
The PRT is used for SSO for users when they access Azure AD applications.