ADFS 4 – Enable device authentication method

With ADFS 4, you can easily enable device authentication as authentication method.

This authentication method was already available in ADFS 3 but only as additional authentication method; with ADFS 4 this becomes also available as primary authentication method.


Upgrade Active Directory Federation schema

This step is required if already have deployed a previous version of ADFS within your Active Directory and/or if your are not yet running Active Directory 2016 domain controllers (ie if your AD schema has not been upgraded to 2016)

  • Using a Windows Server 2016 installation media, run the following commands – adprep is available within the support\adprep directory in the installation media

adprep /forestprep




Raise ADFS functional level

This step is required if your ADFS 4 is deployed within an existing ADFS 3 farm; you can do it ONLY if no more ADFS 3 servers are running within the farm

See for ADFS upgrade procedure

Enable device authentication method

To continue with this step, you need to have Azure Active Directory PowerShell modules installed.

Using a PowerShell prompt, run the following commands

Initialize-ADDeviceRegistration and when prompted enter the ADFS service account


Then confirm the AD preparation


Once successfully completed, complete the configuration by running



Import the Azure AD module for device authentication and connect to you Azure tenant to create a connection point

Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1”

$aadAdminCred = Get-Credential

Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount <account used when connecting to your AD when configuration Azure AD Connect> -AzureADCredentials $aadAdminCred


NOTE you can find back the account you used by opening the Azure AD Connect synchronization console ("C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe") and accessing the “Connect to Active Directory Forest” section in the AD connector properties

Finally enable the device write back in your Azure AD and Azure AD Connect

Once completed, you can confirm the setup by opening ADSIEdit and connect to the Configuration\Services node; you should see

  • CN=Device Registration Configuration
  • CN=Device Registration Services under CN=Device Registration Configuration
  • CN=Device Registration Service DKM under CN=Device Registration Configuration
  • CN=<GUID> under CN=Device Registration Configuration – where the GUID is your Azure AD Connect connection point


Within the ADFS console, Enable device authentication at the Device Registration section and then enable the device authentication method


NOTE there is no more a Device Registration service in the Services console

Once Device Registration is enabled, you can also define the number of day before an inactive device is being removed from the ADFS console (Device Registration section)


Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.