Entra device join types — Entra ID Joined, Registered, Hybrid Join (comparison)

I often start with a quick recap when discussing Entra device join types with colleagues or customers, so I decided to write it down for future reference.

This article compares the three most common Entra device states: Entra ID Joined, Entra ID Registered (workplace-registered), and Hybrid Entra Join. It also covers when to use each option, the main requirements, licensing considerations, and the technical limitations or edge cases worth planning for.

Quick decision checklist to save time

• Need local Windows sign-in using Entra identity and cloud management → Entra ID Joined.
• Need only SSO to cloud apps on personal devices, no full management → Entra ID Registered.
• Need on-prem authentication (Kerberos/NTLM) + Entra features → Hybrid Entra Join.

References

• Microsoft Learn: Directory join overview
• Microsoft Learn: Device registration overview
• Microsoft Learn: Hybrid Azure AD join

Quick summary

• Entra ID Joined — best for corporate-owned Windows devices that sign in with Entra ID identities. It is cloud-first and supports local Entra sign-in, Intune auto-enrollment, and Autopilot.
• Entra ID Registered — best for personal or BYOD devices. It provides light-weight registration for SSO and Conditional Access, but not full device management or local Entra sign-in.
• Hybrid Entra Join — best for on-prem AD-joined devices that also need to appear in Entra ID. This is the right fit when native Kerberos or NTLM access to on-prem resources is still required.

Who should use which

• Use Entra ID Joined when devices are corporate-owned and you want modern, cloud-first management with Intune, Windows Autopilot provisioning, and sign-in with Entra credentials.
• Use Entra ID Registered for BYOD scenarios where you only need app single sign-on, device-based Conditional Access signals, or Mobile Application Management (MAM) without full MDM enrollment.
• Use Hybrid Entra Join when devices must remain domain-joined for on-prem authentication such as Kerberos, NTLM, or Group Policy, but should also benefit from Entra capabilities such as Conditional Access or Intune co-management.

Requirements (practical checklist)

• Entra ID Joined
  • Windows 10/11 Pro, Enterprise or Education (Home has limited support).
  • An Entra ID tenant and user accounts in Entra ID.
  • Internet access for authentication and device management.
  • Intune (or another MDM) for automatic device management. Autopilot provisioning requires Intune.
• Entra ID Registered
  • Supported platforms include Windows, macOS, iOS, and Android, typically through Company Portal or browser-based registration flows.
  • Entra ID tenant.
  • For device-based Conditional Access or compliance: MDM or MAM, typically Intune with Company Portal, is usually required.
• Hybrid Entra Join
  • Devices must be joined to on-premises Active Directory.
  • Azure AD Connect configured with device write-back or registration options enabled and synchronization working.
  • Service Connection Point (SCP) in AD or GPO-based settings for auto-registration.
  • Supported Windows clients, typically modern Windows 10/11, or appropriate OS versions for domain-joined clients.

Licensing and feature gating (high level)

• Basic device registration and Entra ID Join functionality are available without Entra ID Premium for fundamental identity scenarios.
• Entra ID Premium P1 is generally required for Conditional Access policies that use device state and other advanced identity protection rules.
• Microsoft Intune (or an MDM service with equivalent features) is required for MDM enrollment, compliance state reporting, Autopilot provisioning, and device configuration profiles.
• Enterprise suites such as EMS or Microsoft 365 E3/E5 commonly bundle Entra ID Premium and Intune, but it is still worth validating feature availability against your actual tenant licenses.

Technical limitations & important considerations

• Sign-in and offline behavior
  • Entra ID Joined: Users sign in with their Entra ID credentials; cached credentials allow offline sign-in. Windows Hello for Business can be used.
  • Entra ID Registered: Does not provide local Windows sign-in with Entra ID accounts, except limited scenarios; it is intended for SSO to cloud apps.
  • Hybrid Entra Join: Users typically sign in to the device with AD credentials, while the device itself is still visible in Entra ID for cloud policies.
• Access to on-prem resources
  • Only domain-joined and Hybrid Entra Joined devices provide native Kerberos/NTLM access to on-prem resources without additional bridging such as a VPN or Azure AD Domain Services.
• Management overlaps and co-existence
  • Hybrid estates often use co-management (ConfigMgr + Intune). Plan which tooling is authoritative for policies and updates to avoid conflicting actions.
  • Avoid accidental dual-enrollment flows for BYOD vs. corporate devices; use enrollment restrictions and clear user guidance.
• Network and sync dependencies
  • Hybrid Join depends on properly configured Azure AD Connect and reachable Azure endpoints. A misconfigured SCP, incorrect GPO, or blocked outbound network access can break auto-registration.
• Conditional Access and compliance
  • Conditional Access using device state (Compliant / Hybrid Entra Joined / Entra ID Joined) typically requires Entra ID Premium.
  • To surface a Compliant device state, you also need MDM enrollment and compliance policy evaluation in Intune.
• Operating system support and features
  • Some features like Autopilot, Windows Hello for Business, and native Azure sign-in require supported Windows editions and recent OS versions.
• Edge cases & gotchas
  • Dual-joined scenarios: devices that accidentally end up both Entra ID Joined and Hybrid can show unexpected behavior, so choose a single authoritative join model per device cohort.
  • SCP misconfiguration: multiple domains or forests require careful SCP placement and Azure AD Connect configuration.
  • Device object cleanup: stale device objects in Entra ID from test or reimaged systems should be reviewed and cleaned up to avoid licensing and Conditional Access surprises.

Implementation recommendations

• New corporate device fleet: prefer Entra ID Join with Intune and Autopilot for a cloud-native and simplified lifecycle.
• BYOD: use Entra ID Registered with a MAM-first approach for app protection and Conditional Access. Reserve MDM only when users consent or company policy requires it.
• Existing domain-heavy environments: implement Hybrid Entra Join, verify Azure AD Connect and SCP configuration, pilot a subset of devices, then evaluate co-management with Intune.