With ADFS 4, you can easily enable device authentication as authentication method.
This authentication method was already available in ADFS 3 but only as additional authentication method; with ADFS 4 this becomes also available as primary authentication method.
Upgrade Active Directory Federation schema
This step is required if already have deployed a previous version of ADFS within your Active Directory and/or if your are not yet running Active Directory 2016 domain controllers (ie if your AD schema has not been upgraded to 2016)
- Using a Windows Server 2016 installation media, run the following commands – adprep is available within the support\adprep directory in the installation media
adprep /forestprep
adprep/domainprep
Raise ADFS functional level
This step is required if your ADFS 4 is deployed within an existing ADFS 3 farm; you can do it ONLY if no more ADFS 3 servers are running within the farm
See for ADFS upgrade procedure https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016
Enable device authentication method
To continue with this step, you need to have Azure Active Directory PowerShell modules installed.
Using a PowerShell prompt, run the following commands
Initialize-ADDeviceRegistration and when prompted enter the ADFS service account
Then confirm the AD preparation
Once successfully completed, complete the configuration by running
Enable-AdfsDeviceRegistration
Import the Azure AD module for device authentication and connect to you Azure tenant to create a connection point
Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1”
$aadAdminCred = Get-Credential
Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount <account used when connecting to your AD when configuration Azure AD Connect> -AzureADCredentials $aadAdminCred
NOTE you can find back the account you used by opening the Azure AD Connect synchronization console ("C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe") and accessing the “Connect to Active Directory Forest” section in the AD connector properties
Finally enable the device write back in your Azure AD and Azure AD Connect
Once completed, you can confirm the setup by opening ADSIEdit and connect to the Configuration\Services node; you should see
- CN=Device Registration Configuration
- CN=Device Registration Services under CN=Device Registration Configuration
- CN=Device Registration Service DKM under CN=Device Registration Configuration
- CN=<GUID> under CN=Device Registration Configuration – where the GUID is your Azure AD Connect connection point
Within the ADFS console, Enable device authentication at the Device Registration section and then enable the device authentication method
NOTE there is no more a Device Registration service in the Services console
Once Device Registration is enabled, you can also define the number of day before an inactive device is being removed from the ADFS console (Device Registration section)