--- title: Registering Azure AD devices automatically through PingFederate for Windows 10 devices description: Azure AD provides a registered device with an identity and authenticates when the user signs in. Once authenticated, use the device and device attributes to enforce conditional access policies for applications. component: solution-guides page_id: solution-guides:single_sign-on_use_cases:htg_reg_azure_ad_devices_pf_windows10 canonical_url: https://docs.pingidentity.com/solution-guides/single_sign-on_use_cases/htg_reg_azure_ad_devices_pf_windows10.html revdate: July 18, 2022 page_aliases: ["single_sign-on_use_cases:htg_reg_azure_ad_devices_pf_windows10_process.adoc", "single_sign-on_use_cases:htg_reg_azure_ad_devices_pf_windows10_prep_ad.adoc", "single_sign-on_use_cases:config_pf_server_azure.adoc", "single_sign-on_use_cases:htg_reg_azure_ad_devices_pf_windows10_deploy.adoc", "single_sign-on_use_cases:htg_reg_azure_ad_devices_pf_windows10_verify_status.adoc"] section_ids: components: Components azure-ad-registration-process: Azure AD registration process stage-1-device-registration: "Stage 1: Device registration" stage-2-user-registration: "Stage 2: User registration" related-links: Related links preparing-azure-ad-for-automatic-device-registration: Preparing Azure AD for automatic device registration before-you-begin: Before you begin steps: Steps choose-from: Choose from: configuring-pingfederate-server: Configuring PingFederate server about-this-task: About this task steps-2: Steps controlling-deployment-and-rollout: Controlling deployment and rollout about-this-task-2: About this task steps-3: Steps verifying-device-registration-status: Verifying device registration status steps-4: Steps choose-from-2: Choose from: --- # Registering Azure AD devices automatically through PingFederate for Windows 10 devices Azure AD provides a registered device with an identity and authenticates when the user signs in. Once authenticated, use the device and device attributes to enforce conditional access policies for applications. The PingFederate server authenticates the user and enrolls the device in Azure. Combined with a mobile device management (MDM) solution such as Microsoft Intune, the device attributes in Azure AD update with additional information about the device. This allows you to create conditional access rules for devices to meet your standards for security and compliance. This configuration also works for Windows Hello for Business. If you have an on-premise Active Directory environment, you can join your domain-joined devices to Azure AD by configuring hybrid Azure AD-joined devices. You can configure Windows devices to automatically register to Azure AD. Windows current devices use active STS (WS-Trust) workflow for Azure AD device registration. The required configuration differs from Windows down-level devices, which use passive workflow (WS-Federation) for this process. ## Components PingFederate 9.3 Windows current devices are: * Windows 10 * Windows Server 2016 ## Azure AD registration process Azure AD is a Microsoft service that lets you generate attributes to a registered computer object in on-premises Active Directory. This task is an overview of the PingFederate Azure AD registration process. The automatic registration process with Azure AD is performed in two stages. ### Stage 1: Device registration **Processing Steps** 1. Using PingFederate and the Kerberos Token Processor, the device authenticates to Azure Device Registration Service (DRS). 2. PingFederate issues a token to Azure AD. 3. Azure AD issues a final token for Azure DRS. 4. A set of attributes pass to Azure AD in the response token and write in the newly created Azure AD device project. 5. Device generates a private/public key pair to use in a certificate signing request (CSR). 6. Azure DRS obtains a certificate that authenticates the device to Azure AD. 7. Device generates another private/public key pair. 8. Newly created key pair binds the PRT to the physical device. ### Stage 2: User registration The main goal of this stage is to obtain a PRT which will be used in the authentication workflows. Depending on the credentials in use, a special plug-in obtains the PRT via separate calls to Azure AD and PingFederate. **Processing Steps** 1. Plug-in sends credentials to the PingFederate Username Token Processor endpoint. 2. The PingFederate server authenticates the user and sends back a WS-Trust assertion. 3. Azure AD verifies the token. 4. Azure AD builds a PRT with both user and device attributes. 5. The PRT returns to the Windows device. ### Related links * [Configure Microsoft Entra hybrid join manually](https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-join-manual) ## Preparing Azure AD for automatic device registration Set up a connection to Azure AD, configure the registration CNAME, and enable Azure DRS for automatic device registration. ### Before you begin * Install PingFederate server running version 8.4 or later * Run Office 365 federated domain with appropriate subscriptions * Run a functional WS-Federation/WS-Trust connection to Office 365 configured on the PingFederate server * Ensure username and Kerberos Token Processors are functional and in use for authenticating Office 365 users. * Install Azure AD Connect running for Active Directory synchronization with Azure AD * Ensure that you are running the latest version of Azure AD Connect. For more information, see [Microsoft Entra Connect](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect) ### Steps 1. Set up a service connection point using one of the following methods: #### Choose from: * To configure manually, see the Microsoft product documentation with [Configure Microsoft Entra hybrid join manually](https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-join-manual). * To configure using the wizard, see the Microsoft product documentation with [Configure Microsoft Entra hybrid join](https://learn.microsoft.com/en-us/entra/identity/devices/how-to-hybrid-join). 2. Configure the enterprise registration CNAME record on your DNS server. For more information, see the Microsoft product documentation with [Create DNS records for O365 using Windows-based DNS](https://learn.microsoft.com/en-us/microsoft-365/admin/dns/create-dns-records-using-windows-based-dns) 3. Enable Azure Device Registration Service (DRS). 1. Open the [Microsoft Azure portal](https://portal.azure.com/#home). 2. Go to **Azure Active Directory → Devices → Device settings**. 3. In the **Users may join devices to Azure AD** field, click **All**. 4. In the **Users may register their devices with Azure AD** field, click **All**. Click **Save**. ## Configuring PingFederate server Configure the PingFederate server to register Azure Active Directory (AD) *(tooltip: \
\

A directory service for Windows domain networks, included in most Windows Server operation systems.\

\
)* Windows 10 devices. ### About this task In the PingFederate cluster, perform the following steps on the admin node: ### Steps 1. Add the required attribute namespaces: 1. Stop the PingFederate server. 2. Go to `/pingfederate/server/default/data/config-store`. 3. In a text editor, open the `custom-name-formats.xml` file. 4. If they are not already present, add the following lines to the `sts-attribute-namespaces` section: ``` http://schemas.microsoft.com/identity/claims; http://schemas.microsoft.com/ws/2012/01; http://schemas.microsoft.com/claims; ``` 5. Save your changes and restart the PingFederate server. 2. In the PingFederate cluster, open the administrative console and go to **Cluster Management → Replicate Cluster Configuration**. 3. Click **Replicate**. 4. Configure **Omit line Breaks in Digital Signatures**. For more information see [Omit line breaks in digital signatures](https://docs.pingidentity.com/integrations/office365/office_365_provisioner/pf_office365_connector_configuring_pf_to_omit_line_breaks_in_digital_signatures.html). 1. In a text editor, open `/pingfederate/bin/run.properties` and add the following line to the file: ``` org.apache.xml.security.ignoreLineBreaks=true ``` 2. Save your changes and restart the PingFederate server. | | | | - | ------------------------------------------------------------- | | | If you are running a cluster, follow steps 1-4 for all nodes. | 5. Extend the list of the LDAP binary attributes: 1. Open the PingFederate administrative console and go to **Server Configuration → Data Stores**. 2. Click **LDAP data store**. 3. On the **LDAP Configuration** page, click **Advanced**. 4. In the **Binary Attribute Name**field, enter `objectSid` and click **Add**. Click **Save**. 6. Confirm the default token type for the WS-Trust protocol: 1. Open the existing Office 365 SP connection. 2. Go to **SP Connection → WS-Trust STS → Protocol Settings**. 3. In the **Default Token Type** list, select **SAML 1.1 for Office 365**. Click **Save**. 7. Extend the WS-Trust attribute contract: 1. Go to **SP Connection → WS-Trust STS → Token Creation - Attribute Contract**. 2. Add the following attributes and corresponding attribute namespaces. | Attribute name | Attribute namespace | | ------------------ | -------------------------------------------------------- | | `accounttype` | http\://schemas.microsoft.com/ws/2012/01 | | `onpremobjectguid` | http\://schemas.microsoft.com/identity/claims | | `primarysid` | http\://schemas.microsoft.com/ws/2008/06/identity/claims | | `SAML_NAME_FORMAT` | http\://schemas.microsoft.com/claims | 3. Click **Next** and then click the Kerberos Token Processor instance. 8. Extend the LDAP search for the Kerberos Token Processor: 1. On the **Attribute Sources & User Lookup** tab, click the LDAP data store instance. 2. On the **LDAP Directory Search** tab, add the **objectSid** attribute to return from search. Click **Next**. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Make sure that **Base DN** and **Search Scope** LDAP settings cover both a container with Office 365 users and a container where the AD objects of the devices intended for Azure AD registration are located. | 3. On the **LDAP Binary Attribute Encoding Types** tab, set the **Attribute Encoding Type** to **SID** for the **objectSid** attribute, then click **Next**. 4. Confirm that the **LDAP Filter** includes the following: ``` |((sAMAccountName=${username}) (userPrincipalName=${username})) ``` 9. Map the attribute contract to the values of the Kerberos Token Processor instance: 1. Click **Done** and **Next** until you reach the **Attribute Contract Fulfillment**section of the Kerberos Token Processor instance. 2. Populate the missing fields, then click **Done**. For more information, see [Configuring a Kerberos Token Processor instance](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_config_kerberos_token_process_instance.html). | Attribute Contract | Source | Value | | ------------------ | ------ | ------------------------------------------------------- | | `Immutable ID` | LDAP | objectGUID | | `TOKEN_SUBJECT` | LDAP | objectGUID | | `UPN` | Token | principle | | `accounttype` | Text | DJ | | `onpremobjectguid` | LDAP | objectGUID | | `primarysid` | LDAP | objectSid | | `SAML_NAME_FORMAT` | Text | `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` | 10. Map the attribute contract to the values of the Username Token Processor instance: 1. Click the **Username Token Processor** instance, then click the **Attribute Contract Fulfillment** tab. 2. Populate the missing fields. For more information, refer to [Configuring a Username Token Processor instance](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_config_username_token_processor_instance.html). 3. Click **Save**. | Attribute Contract | Source | Value | | ------------------ | ------ | ------------------------------------------------------- | | `Immutable ID` | LDAP | objectGUID | | `TOKEN_SUBJECT` | LDAP | objectGUID | | `UPN` | LDAP | userPrincipalName | | `accounttype` | Text | N/A | | `onpremobjectguid` | LDAP | objectGUID | | `primarysid` | Text | N/A | | `SAML_NAME_FORMAT` | Text | `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified` | ## Controlling deployment and rollout Configure and restart your Windows 10 device to register with Azure AD. ### About this task Automatic device registration rollout and deployment for the Windows-current devices is done through a Group Policy. ### Steps 1. Complete the configuration steps in the Microsoft article [Microsoft Entra hybrid join targeted deployment](https://learn.microsoft.com/en-us/entra/identity/devices/hybrid-join-control). 2. Restart the device. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | All domain-joined devices running Windows 10 Anniversary Update and Windows Server 2016 or later automatically register with Azure AD at device restart or user sign-in. | ## Verifying device registration status Apply the Group Policy and sign in to your Windows 10 device to automatically begin the device registration. ### Steps 1. Check the Windows device status using one of the following methods: #### Choose from: * From a Windows Powershell prompt, run `dsregcmd.exe /status` and confirm the following fields have the corresponding values: * AzureADJoined: YES * DomainJoined: YES * WorkplaceJoined: NO * WarmDefaultSet: YES * AzureADPrt: YES | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you see different values, the device registration process failed. For more information, see [Troubleshoot Microsoft Entra hybrid joined devices](https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current) in the Microsoft Azure product documentation. | * In the [Microsoft Azure portal](https://portal.azure.com/#home), go to **Azure Active Directory → Devices** and verify the device registration status.