Client certificates (Device certificate) issued by AD CS or an external service are used to restrict login access by device.

Device certificates are verified during the authentication process. Devices that do not have a valid device certificate are denied login access.