Post

Entra device join types — Entra ID Joined, Registered, Hybrid Join (comparison)

Posted
By Otto Gudszent
5 min read

I always have to start with a quick recap when discussing Entra device join types with colleagues or customers, so I decided to write it down as a blog post for future reference.

This article compares the three common Entra device states: Entra ID Joined, Entra ID Registered (workplace-registered), and Hybrid Entra Join. It explains when to use each, requirements, licensing considerations and important technical limitations or edge cases to plan for.

Quick decision checklist to save time

– Need local Windows sign-in using Entra identity and cloud management → Entra ID Joined. – Need only SSO to cloud apps on personal devices, no full management → Entra ID Registered. – Need on-prem authentication (Kerberos/NTLM) + Entra features → Hybrid Entra Join.

References

  • Microsoft: Directory join overview — https://learn.microsoft.com/en-us/entra/identity/devices/concept-directory-join
  • Microsoft: Device registration overview — https://learn.microsoft.com/en-us/entra/identity/devices/concept-device-registration
  • Microsoft: Hybrid Azure AD join — https://learn.microsoft.com/en-us/entra/identity/devices/concept-hybrid-join

Quick summary

  • Azure AD Joined — corporate-owned Windows devices that sign in with Azure AD identities; cloud-first, supports local Azure sign-in, Intune auto-enroll, Autopilot.
  • Azure AD Registered — personal/BYOD devices; light-weight registration for SSO and Conditional Access, not full device management or Azure sign-in.
  • Hybrid Azure AD Join — on-prem AD-joined devices that are also registered in Azure AD; required when native Kerberos/NTLM access to on-prem resources is needed alongside Azure AD features.
  • Entra ID Joined — corporate-owned Windows devices that sign in with Entra ID identities; cloud-first, supports local Entra sign-in, Intune auto-enroll, Autopilot.
  • Entra ID Registered — personal/BYOD devices; light-weight registration for SSO and Conditional Access, not full device management or Entra sign-in.
  • Hybrid Entra Join — on-prem AD-joined devices that are also registered in Entra ID; required when native Kerberos/NTLM access to on-prem resources is needed alongside Entra features.

Who should use which

– Use Entra ID Joined when devices are corporate-owned and you want modern, cloud-first management (Intune), Windows Autopilot provisioning, and sign-in using Entra credentials. – Use Entra ID Registered for BYOD scenarios where you only need app single-sign-on, device-based Conditional Access signals, or Mobile Application Management (MAM) without full MDM enrollment. – Use Hybrid Entra Join when devices must remain domain-joined for on-prem authentication (Kerberos/NTLM, Group Policy) but also benefit from Entra capabilities (Conditional Access, Intune co-management).

Requirements (practical checklist)

– Entra ID Joined - Windows 10/11 Pro, Enterprise or Education (Home has limited support). - An Entra ID tenant and user accounts in Entra ID. - Internet access for authentication and device-management. - Intune (or other MDM) for automatic device management, Autopilot provisioning requires Intune.

– Entra ID Registered - Device/platform support: Windows, macOS, iOS, Android can register using Company Portal or browser flows. - Entra ID tenant. - For device-based Conditional Access / compliance: MDM or MAM (Intune + Company Portal) is typically required.

– Hybrid Entra Join - Devices must be joined to on-premises Active Directory. - Azure AD Connect configured with device write-back/registration options enabled and synchronization working. - Service Connection Point (SCP) in AD or GPO-based settings for auto-registration. - Supported Windows clients (modern Windows 10/11) or appropriate OS versions for domain-joined clients.

Licensing and feature gating (high level)

– Basic device registration and Entra ID Join functionality are available without Entra ID Premium for fundamental identity scenarios. – Entra ID Premium P1 is generally required for Conditional Access policies that use device state and other advanced identity protection rules.

  • Microsoft Intune (or an MDM service with equivalent features) is required for MDM enrollment, compliance state reporting, Autopilot provisioning, and device configuration profiles.
  • Enterprise suites (EMS, Microsoft 365 E3/E5) commonly bundle Azure AD Premium and Intune — validate specific feature access against your tenant licenses.

Technical limitations & important considerations

  • Sign-in and offline behavior
    • Entra ID Joined: Users sign in with their Entra ID credentials; cached credentials allow offline sign-in. Windows Hello for Business can be used.
    • Entra ID Registered: Does not provide local Windows sign-in with Entra ID accounts (except limited scenarios); intended for SSO to cloud apps.
    • Hybrid Entra Join: Users typically sign in to device using AD credentials; device is visible in Entra ID for cloud policies.
  • Access to on-prem resources
    • Only domain-joined and Hybrid Entra Joined devices provide native Kerberos/NTLM access to on-prem resources without additional bridging (VPN or Azure AD Domain Services).
  • Management overlaps and co-existence
    • Hybrid estates often use co-management (ConfigMgr + Intune). Plan which tooling is authoritative for policies and updates to avoid conflicting actions.
    • Avoid accidental dual-enrollment flows for BYOD vs corporate devices; use enrollment restrictions and clear user guidance.
  • Network and sync dependencies
    • Hybrid Join depends on properly configured Azure AD Connect and reachable Azure endpoints; misconfigured SCP/GPO or blocked network egress will break auto-registration.
  • Conditional Access and compliance
    • Conditional Access using device state (Compliant / Hybrid Entra Joined / Entra ID Joined) typically requires Entra ID Premium.
    • To surface a Compliant device state, MDM enrollment and compliance policy evaluation (Intune) are necessary.
  • Operating system support and features
    • Some features like Autopilot, Windows Hello for Business and native Azure sign-in require supported Windows editions and recent OS versions.
  • Edge cases & gotchas
    • Dual-joined scenarios: Devices accidentally both Entra ID Joined and Hybrid can show unexpected behavior—pick a single authoritative join model per device cohort.
    • SCP misconfiguration: Multiple domains/forests require careful SCP placement and Azure AD Connect config.
    • Device object cleanup: stale device objects in Azure AD from test or reimaged systems should be reviewed and cleaned to avoid licensing and Conditional Access surprises.

Implementation recommendations

  • New corporate device fleet: prefer Entra ID Join + Intune + Autopilot for a cloud-native, simplified lifecycle.
  • BYOD: use Entra ID Registered with MAM-first (app protection) and conditional access; reserve MDM only when users consent or corporate policy requires it.
  • Existing domain-heavy environments: implement Hybrid Entra Join, verify Azure AD Connect and SCP, pilot a subset of devices, then evaluate co-management with Intune.
Azure, Identity, Devices
AzureAD HybridJoin Intune BYOD ConditionalAccess
This post is licensed under CC BY 4.0 by the author.