Client certificates issued by AD CS or an external service are used to restrict login access by device.

Client certificates are verified during the authentication process. Devices that do not have a valid client certificate are denied login access.