Azure AD Registered vs Joined Devices
In Azure Active Directory, you can manage devices as well as user and groups. You may have noticed that devices can show up under different join types: Azure AD joined and Azure AD registered. Also there is a third category, Hybrid Azure AD joined. In this article we will talk about the differences.
Azure AD registered
Azure AD registered is for non-corporate ("bring your own device") scenarios. It enables single sign-on access to Azure AD managed resources such as Teams, Microsoft365, etc. This registration is what happens when you add a work or school account in Windows:
Azure AD registration also works for non-windows devices (Android, iOS, etc). It means Azure AD knows about your device. Azure AD administrators will be able to see your operating system and version, as well as the time of your latest activity. It means Azure AD also could store your BitLocker recovery keys.
Azure AD joined
Azure AD joined is for corporate owned devices. It works only for Windows computers. The main difference you will notice is that you will have to login to the device using your Azure AD (work/school) account.
Azure AD join also gives users single sign-on access to on-premises domain resources (if the Azure AD is synchronized with the on-premises domain). Also, users get access to self-service password reset from the lock screen.
To join your device to Azure AD, click on the "Add a work or school account" button (same as for Azure AD registration), but then select "Join this device to Azure Active Directory".
Another way to join your device is during the initial setup of Windows (the "first-run out-of-box experience"). Select This device belongs to my organization and then login with your organization account.
Hybrid Azure AD joined
There is one more option, the Hybrid Azure AD join. This is like Azure AD joined devices, but the devices will also join an on-premises Active Directory domain. It is for Windows computer only.
This is necessary if you wish to manage the devices with Group Policy. It also gives users single sign-on access to on-premises domain resources.
Hybrid Azure AD join also works for older Windows version (such as Windows 7, Windows 8 and even Windows Server 2008/R2), while Azure AD joined requires at least Windows 10.
MDM - Microsoft Intune
As an administrator, you can strengthen the control of Azure AD registered, joined or hybrid joined devices using MDM (Mobile Device Management). In the Microsoft world this is managed through Microsoft Intune.
This enables administrators to:
- Retire devices (company apps and uninstalled and their data is removed)
- Wiping devices (factory reset)
- Enforcing configuration policies such as password complexity and storage encryption
In the devices list in the Azure portal, you can see in the MDM column which devices are enrolled in Microsoft Intune.
There is a description here of how users enroll their devices in Microsoft Intune.