Device Join and Device Registration

Device Join and Device Registration in Microsoft Entra ID (SC-300)

Why Device Join and Device Registration Matter

In modern identity and access management, controlling which devices access your organization's resources is just as critical as controlling which users can sign in. Device Join and Device Registration are foundational capabilities in Microsoft Entra ID (formerly Azure AD) that allow organizations to establish device identity, enforce compliance policies, and enable Conditional Access based on device state. Without proper device management, organizations face increased risk of data leakage, unauthorized access, and inability to enforce security baselines.

What Is Device Registration?

Device Registration (also known as Microsoft Entra Registered devices, formerly Azure AD Registered) is designed primarily for Bring Your Own Device (BYOD) and personal device scenarios. When a device is registered:

- The device gets an identity in Microsoft Entra ID
- The user signs in with their personal account on the device but adds a work or school account
- Supported on Windows 10/11, iOS, iPadOS, Android, and macOS
- The organization does not take full control of the device
- Enables access to organizational resources like email and cloud apps
- Can be managed via Mobile Application Management (MAM) or Mobile Device Management (MDM) such as Microsoft Intune
- Provides a device object in Entra ID for Conditional Access evaluation

What Is Device Join?

Device Join comes in two forms:

1. Microsoft Entra Join (Azure AD Join)
- Designed for cloud-only or cloud-first organizations
- The device is joined directly to Microsoft Entra ID (no on-premises Active Directory required)
- Users sign in to the device using their Entra ID credentials
- Supported on Windows 10/11 and Windows Server 2019+ (for VMs)
- Provides SSO to both cloud and on-premises resources (when line of sight to a domain controller or using Azure AD Kerberos)
- The organization has full management control of the device
- Device is typically managed with Microsoft Intune or co-management
- Ideal for organizations without on-premises Active Directory infrastructure

2. Microsoft Entra Hybrid Join (Hybrid Azure AD Join)
- Designed for organizations that have both on-premises Active Directory and Microsoft Entra ID
- The device is joined to both on-premises AD and Entra ID simultaneously
- Requires Azure AD Connect (or Azure AD Connect Cloud Sync with limitations) to sync device objects
- Supported on Windows 10/11, Windows Server 2016+, and down-level Windows (7/8.1 with limitations)
- Provides SSO to both cloud and on-premises resources
- Ideal for organizations transitioning from on-premises to cloud-based management
- Devices can be managed by Group Policy, SCCM, Intune, or co-management

How It Works – The Technical Flow

Device Registration Flow:
1. User goes to Settings on their personal device and adds a work or school account
2. The device authenticates to Microsoft Entra ID
3. A device object is created in Entra ID
4. A certificate is provisioned on the device for authentication
5. The user can now access organizational resources while the device remains personal

Microsoft Entra Join Flow:
1. During Windows OOBE (Out-of-Box Experience) or via Settings > Accounts > Access work or school > Join this device to Azure Active Directory
2. The user authenticates with Entra ID credentials (MFA may be enforced)
3. The device is registered in Entra ID as a Joined device
4. A Primary Refresh Token (PRT) is issued, enabling SSO
5. MDM enrollment (e.g., Intune) can be triggered automatically
6. Conditional Access policies can now evaluate the device's join state and compliance

Hybrid Join Flow:
1. The device is domain-joined to on-premises AD (traditional domain join)
2. Azure AD Connect syncs the device object to Entra ID
3. The device detects a Service Connection Point (SCP) in AD to discover the Entra ID tenant
4. The device authenticates to Entra ID and receives a certificate/PRT
5. The device now has identity in both directories

Key Configuration Points

- Device Settings in Entra ID: Navigate to Microsoft Entra admin center > Identity > Devices > Device settings to configure who can join devices, maximum number of devices per user, and whether to require MFA for joining devices
- Enterprise State Roaming: Can be enabled for joined devices to sync user settings across Windows devices
- Azure AD Connect: Must be configured with device writeback or device sync for Hybrid Join scenarios
- Service Connection Point (SCP): Must be configured in on-premises AD forest for Hybrid Join device discovery
- Conditional Access: Policies can require devices to be marked as compliant, require Hybrid Entra joined devices, or use device filters

Comparison Table

Entra Registered: BYOD/Personal devices | User signs in with personal account + adds work account | Minimal org control | All major OS platforms

Entra Joined: Organization-owned devices | User signs in with Entra ID account | Full org control | Windows 10/11 only

Hybrid Entra Joined: Organization-owned devices in hybrid environments | User signs in with AD account synced to Entra ID | Full org control (GP + MDM) | Windows 10/11, Windows Server

Conditional Access and Device Identity

Device join type plays a crucial role in Conditional Access policies:
- Require device to be marked as compliant: Works with all three join types (requires Intune or third-party MDM)
- Require Hybrid Azure AD joined device: Only applies to Hybrid Joined devices
- Filter for devices: Can target policies based on device attributes like trustType, model, or device ID
- A device must be either Entra Joined or Hybrid Joined to get a Primary Refresh Token (PRT), which is essential for seamless SSO

Important Limitations to Know

- Entra Join does NOT support Windows versions prior to Windows 10
- macOS, iOS, and Android devices can only be registered, not joined
- Hybrid Join requires Azure AD Connect and proper SCP configuration
- A device cannot be both Entra Joined and Hybrid Joined simultaneously
- When a Hybrid Joined device is also Entra Joined, the Entra Join takes precedence (Hybrid state is removed)
- Maximum device limit per user is configurable (default varies; can be set to unlimited)

Exam Tips: Answering Questions on Device Join and Device Registration

1. Know the three device identity types cold: Registered, Joined, and Hybrid Joined. The exam frequently tests your ability to choose the correct type for a given scenario. BYOD = Registered. Cloud-only org = Entra Join. Existing on-prem AD + cloud = Hybrid Join.

2. Understand OS support: If a question mentions macOS or mobile devices needing organization access, the answer is almost always Device Registration, not Join. Entra Join is Windows-only.

3. SCP is key for Hybrid Join: If a question describes Hybrid Join not working, check whether SCP is configured in the on-premises AD forest. Also verify Azure AD Connect is syncing device objects.

4. Conditional Access grant controls: Know the difference between "Require device to be marked as compliant" (works with all join types + Intune) vs. "Require Hybrid Azure AD joined device" (only Hybrid Join). If the question says the organization has no on-premises AD, Hybrid Join is not the answer.

5. Primary Refresh Token (PRT): Only Entra Joined and Hybrid Joined devices receive a PRT. Registered devices do not get PRT. Questions about SSO often hinge on this detail.

6. Device settings in the portal: Know that admins can restrict who can join devices (All users, Selected users, or None). If a question says users cannot join devices, check this setting. Also know the "Require MFA to register or join devices" toggle.

7. Scenario-based questions: When you see a scenario with "users bring their own devices" or "personal devices" → think Registration. When you see "company-owned laptops with no on-prem AD" → think Entra Join. When you see "existing domain-joined machines need cloud benefits" → think Hybrid Join.

8. Device writeback vs. device sync: Azure AD Connect can sync devices from on-premises to cloud (for Hybrid Join). Device writeback writes cloud device objects back to on-premises AD (used for certain ADFS scenarios). Know the difference.

9. Stale devices: The exam may test your knowledge of managing stale device objects. Know that you can set activity timestamps and clean up devices that haven't signed in for a period.

10. Read carefully for keywords: Words like "without affecting personal device ownership," "minimize administrative overhead," or "maintain existing Group Policy management" are strong hints toward specific device identity choices. Take note of the organization's existing infrastructure before selecting an answer.