πŸ“™ Device and Hybrid Management

From Notes_Wiki

πŸ“™ Device and Hybrid Management

πŸ”Ή Register vs Join vs Hybrid Join – Device Types Explained

1. Azure AD Registered

  • Used for personal/BYOD devices (typically mobile/laptops).
  • Only the user identity is associated with Azure AD.
  • No full device control by admin.

2. Azure AD Joined

  • Devices are fully joined to Azure AD.
  • Mainly used for corporate-owned devices.
  • Provides full SSO and Intune compliance policies.

3. Hybrid Azure AD Joined

  • Devices are joined to on-prem Active Directory and registered in Azure AD.
  • Ideal for orgs with existing AD infrastructure moving to the cloud.
  • Requires Azure AD Connect and GPO.

πŸ”Ή How to Join Windows Device to Azure AD

Manual Join via Settings

  1. Open Settings > Accounts > Access work or school
  2. Click Connect
  3. Choose Join this device to Azure Active Directory
  4. Enter user email and credentials
  5. Device restarts and joins Azure AD

Post-Join Verification

  • Go to Settings > Accounts > Access work or school β†’ Azure AD account should be listed.
  • Run `dsregcmd /status` in Command Prompt to verify:
 * `AzureAdJoined : YES`
 * `DeviceId`, `TenantId`, etc.

πŸ”Ή Entra Join vs Intune Enrollment Differences

Entra ID Join

  • Azure AD identity is linked to the device.
  • Required for enforcing Conditional Access and cloud policies.
  • Enables SSO to Microsoft 365 and other Azure services.

Intune Enrollment

  • Intune manages device configuration, security, compliance.
  • Needed for device configuration profiles, app deployment, etc.

πŸ”Έ Key Differences: Register vs Join vs Hybrid Join

Feature Azure AD Registered Azure AD Joined Hybrid Azure AD Joined
Device Ownership Personal (BYOD) Corporate Corporate (Domain-joined)
Join Method User registers manually User joins during setup GPO + Azure AD Connect
User Sign-in Local account + Work account Azure AD credentials AD credentials (SSO with Azure AD)
Device Management Limited (Intune optional) Fully manageable via Intune On-prem GPO + Intune optional
SSO to Azure Services Yes (limited) Full SSO Full SSO
Suitable For BYOD or external users Cloud-native enterprises Hybrid environments
Requires AD Connect No No Yes
Device appears in Azure AD? Yes Yes Yes
Device appears in On-prem AD? No No Yes

πŸ”Ή Hybrid Azure AD Join – Step-by-Step Configuration

Prerequisites

  • On-prem AD + Azure AD tenant
  • Azure AD Connect
  • Windows 10/11 Enterprise or Pro
  • Valid device DNS

Step-by-Step Guide

  1. Install & Configure Azure AD Connect
  • Enable Device Writeback
  • Enable Hybrid Azure AD Join
  1. Configure GPO
  • Navigate to Computer Configuration > Administrative Templates > Windows Components > Device Registration
  • Enable Register domain-joined computers as devices
  1. Check Sync
  • Force sync: `Start-ADSyncSyncCycle -PolicyType Delta`
  • Verify with `dsregcmd /status` (check for HybridAzureADJoined : YES)

πŸ”Ή Enable Auto Enrollment to Intune via GPO

Prerequisites

  • Azure AD Premium license
  • Device must be Azure AD or Hybrid joined

GPO Configuration

  1. Open Group Policy Management Editor
  2. Navigate to:
  • `Computer Configuration > Administrative Templates > Windows Components > MDM`
  1. Enable:
  • Enable automatic MDM enrollment using default Azure AD credentials
  1. Select:
  • Device Credential
  • Set MDM Service to Intune

Post GPO Verification

  • Login with Azure AD user
  • Go to Settings > Accounts > Access work or school
  • Device shows Connected to Intune MDM
  • Verify in Microsoft Intune Admin Center > Devices