Which of the Device Registration Service option you should select? Do you use Azure AD Join, Device Registration or Domain Join + Device Registration? Should you configure DRS from Azure AD or on-premises ADFS? At least for me answer to this question has not been obvious.

Microsoft statement of Azure AD DRS

Azure Active Directory Device Registration is the foundation for device-based conditional access scenarios. When a device is registered, Azure Active Directory Device Registration provides the device with an identity which is used to authenticate the device when the user signs in. The authenticated device, and the attributes of the device, can then be used to enforce conditional access policies for applications that are hosted in the cloud and on-premises.

When combined with a mobile device management(MDM) solution such as Microsoft Intune, the device attributes in Azure Active Directory are updated with additional information about the device. This allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance

  • Azure AD DRS is used for device based conditional access to cloud workloads (O365, Intune) and on-prem applications
  • On-prem version used to perform conditional access for devices at on-premises applications (comes with W2012 R2 or W2016 ADFS)

If you have plans to start using Microsoft cloud services I highly recommend to use Azure AD Device Registration Service. Here are comparison of registrations options made by Microsoft David Trejo. Full post can be found from here


Details of needed configuration for AAD DRS are found from here.

Datasheet of registration options helped a lot to understand differences between the options.