You can add the Device Registration Service (DRS) to your Active Directory Federation Service (AD FS) configuration. DRS provides seamless second factor authentication, persistent single sign on, and conditional access to devices attempting to access your corporate resources.
Prepare your Forest
To properly implement DRS, you first should prepare your forest. To do this you must meet the following requirements:
- You must be an Enterprise Admin
- The forest must be at the Windows Server 2012 R2 schema or higher
- There must be at least one Global Catalog Server in the forest root domain
Step 1 – On the Federation Server run the PowerShell command:
Step 2 – When prompted for the ServiceAccountName – enter the service account you used for AD FS
Enable DRS on a Federation Server Farm Node
One each node in the farm, run the PowerShell command:
Enable Seamless Second Factor Authentication
Use the AD FS Management Console and navigate to Authentication Policies. Select Edit Global Primary Authentication. Click Enable Device Authentication and click OK.
Update the Web Application Proxy Configuration
On the WAP server – run the PowerShell command:
When prompted, input an account with administrative credentials.