The automatic registration process with Azure AD is performed in two stages.

Stage 1: Device registration

Processing Steps

  1. Using PingFederate and the Kerberos Token Processor, the device authenticates to Azure Device Registration Service (DRS).
  2. PingFederate issues a token to Azure AD.
  3. Azure AD issues a final token for Azure DRS.
  4. A set of attributes pass to Azure AD in the response token and write in the newly created Azure AD device project.
  5. Device generates a private/public key pair to use in a certificate signing request (CSR).
  6. Azure DRS obtains a certificate that authenticates the device to Azure AD.
  7. Device generates another private/public key pair.
  8. Newly created key pair binds the PRT to the physical device.

Stage 2: User registration

The main goal of this stage is to obtain a PRT which will be used in the authentication workflows. Depending on the credentials in use, a special plug-in obtains the PRT via separate calls to Azure AD and PingFederate.

Processing Steps

  1. Plug-in sends credentials to the PingFederate Username Token Processor endpoint.
  2. The PingFederate server authenticates the user and sends back a WS-Trust assertion.
  3. Azure AD verifies the token.
  4. Azure AD builds a PRT with both user and device attributes.
  5. The PRT returns to the Windows device.