Which Device Registration Service (DRS)

Apologies if this is obvious but it wasn’t quite so clear cut to me, therefore a quick post seems sensible.

Windows Server 2012 R2 Active Directory Federation Services (AD FS) ships with a component called the Device Registration Service, or DRS for short.  The DRS facilitates the new Workplace Join (WPJ) feature.  Here’s a summary, from TechNet:

By using Workplace Join, information workers can join their personal devices with their company’s workplace computers to access company resources and services.  When you join your personal device to your workplace, it becomes a known device and provides seamless second factor authentication and Single Sign-On to workplace resources and applications.  When a device is joined by Workplace Join, attributes of the device can be retrieved from the directory to drive conditional access for the purpose of authorizing issuance of security tokens for applications.  Windows 8.1 and iOS 6.0+, and Android 4.0+ devices can be joined by using Workplace Join.

There are two Device Registration Services in play today:

  1. The Windows Server 2012 R2 DRS
  2. Azure DRS

You can only use one of them!

Which one?

  • Windows Server 2012 R2 DRS is intended for on-premises deployments and to provide conditional access and seamless SSO to on-premises applications.
  • Azure DRS is intended for conditional access and seamless SSO in Office 365, CRM Online, InTune and Azure and on-premises applications.

You cannot implement a hybrid (Azure DRS and on-premises) DRS deployment.  You must pick one or the other.

This means:

  • If you have on-premises infrastructure with no MS Online services and no immediate plans for MS Online services, use Windows Server 2012 R2 DRS.
  • If you are an MS Online user, e.g. Office 365, Azure, CRM Online, InTune, you must use Azure DRS in order to get the benefit of conditional access polices and tight integration across Office and InTune.
  • If you have short-term or medium-term plans to use MS Online services you should probably still consider yourself in the hybrid identity camp and implement Azure DRS.

OK.  That’s fine.  Any issues or caveats with deploying on-premises and moving to the cloud if and when the time comes?

Yes.  If you move from on-premises DRS to Azure DRS you must re-register all devices.  Existing devices won’t work inside of MS Online.

So you need to consider this carefully.  If you’re designing a Windows Server 2012 R2 or Windows Server “10” AD FS deployment you need to know whether or not O365 is on the cards.  If it is, plan for and deploy Azure DRS (which still requires some on-premises components and configuration).  If it isn’t and you do want to implement conditional access policies (a.k.a. advanced AuthZ rules) then you need on-premises DRS.  Note that you need to get your certificate(s) correctly planned ahead of doing this too (see here for why).

How does hybrid DRS work?

Azure DRS is used to register the devices and issue the necessary device certificates to clients.  Once this happens you have the full and future capabilities of conditional access polices within the confines of your environment, e.g. access to X if device is managed.

Azure device objects are then written back to on-premises AD DS using AADSync/AADConnect, DirSync or FIM+AAD Connector.  The devices themselves contain everything needed to successfully authenticate the device as part of the AD FS authentication and utilise conditional access policy (so why not allow the opposite?)

On-premises you still go ahead and initialise DRS (Initialize-ADDeviceRegistration) and enable device authentication (Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true), but you don’t enable DRS endpoints (Enable-AdfsDeviceRegistration) on each AD FS server; you disable pruning (Set-AdfsDeviceRegistration -MaximumInactiveDays 0); and then apply some configuration to the urn:federation:MicrosoftOnline RP trust.  Azure AD is authoritative for devices, so the deletions flow from AAD.  AAD also offers a nice UX for viewing a user’s devices.

Costs and licensing

As I was putting this information together for my customers I realised I needed to understand how DRS is licensed.  Specifically, does the Azure DRS have any costs associated with it, e.g. An Azure AD Premium or Basic license type?  I’ll quickly summarise what is free and what needs a subscription here to wrap this post up.

  • On-premises DRS is licensed as part of Windows, i.e. your server and CALs
  • Azure DRS is free
  • To use conditional access policies for Office resources you must have a valid Office 365 license
  • To use conditional access policies to SaaS applications you must have a valid AAD-Premium license
  • For conditional access to on-premises AD FS protected applications you must have device write-back enabled within AAD – this capability comes with your AAD-P or Office 365 license