π Device and Hybrid Management
From Notes_Wiki
π Device and Hybrid Management
πΉ Register vs Join vs Hybrid Join β Device Types Explained
1. Azure AD Registered
- Used for personal/BYOD devices (typically mobile/laptops).
- Only the user identity is associated with Azure AD.
- No full device control by admin.
2. Azure AD Joined
- Devices are fully joined to Azure AD.
- Mainly used for corporate-owned devices.
- Provides full SSO and Intune compliance policies.
3. Hybrid Azure AD Joined
- Devices are joined to on-prem Active Directory and registered in Azure AD.
- Ideal for orgs with existing AD infrastructure moving to the cloud.
- Requires Azure AD Connect and GPO.
πΉ How to Join Windows Device to Azure AD
Manual Join via Settings
- Open Settings > Accounts > Access work or school
- Click Connect
- Choose Join this device to Azure Active Directory
- Enter user email and credentials
- Device restarts and joins Azure AD
Post-Join Verification
- Go to Settings > Accounts > Access work or school β Azure AD account should be listed.
- Run `dsregcmd /status` in Command Prompt to verify:
* `AzureAdJoined : YES` * `DeviceId`, `TenantId`, etc.
πΉ Entra Join vs Intune Enrollment Differences
Entra ID Join
- Azure AD identity is linked to the device.
- Required for enforcing Conditional Access and cloud policies.
- Enables SSO to Microsoft 365 and other Azure services.
Intune Enrollment
- Intune manages device configuration, security, compliance.
- Needed for device configuration profiles, app deployment, etc.
πΈ Key Differences: Register vs Join vs Hybrid Join
| Feature | Azure AD Registered | Azure AD Joined | Hybrid Azure AD Joined |
|---|---|---|---|
| Device Ownership | Personal (BYOD) | Corporate | Corporate (Domain-joined) |
| Join Method | User registers manually | User joins during setup | GPO + Azure AD Connect |
| User Sign-in | Local account + Work account | Azure AD credentials | AD credentials (SSO with Azure AD) |
| Device Management | Limited (Intune optional) | Fully manageable via Intune | On-prem GPO + Intune optional |
| SSO to Azure Services | Yes (limited) | Full SSO | Full SSO |
| Suitable For | BYOD or external users | Cloud-native enterprises | Hybrid environments |
| Requires AD Connect | No | No | Yes |
| Device appears in Azure AD? | Yes | Yes | Yes |
| Device appears in On-prem AD? | No | No | Yes |
πΉ Hybrid Azure AD Join β Step-by-Step Configuration
Prerequisites
- On-prem AD + Azure AD tenant
- Azure AD Connect
- Windows 10/11 Enterprise or Pro
- Valid device DNS
Step-by-Step Guide
- Install & Configure Azure AD Connect
- Enable Device Writeback
- Enable Hybrid Azure AD Join
- Configure GPO
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Device Registration
- Enable Register domain-joined computers as devices
- Check Sync
- Force sync: `Start-ADSyncSyncCycle -PolicyType Delta`
- Verify with `dsregcmd /status` (check for HybridAzureADJoined : YES)
πΉ Enable Auto Enrollment to Intune via GPO
Prerequisites
- Azure AD Premium license
- Device must be Azure AD or Hybrid joined
GPO Configuration
- Open Group Policy Management Editor
- Navigate to:
- `Computer Configuration > Administrative Templates > Windows Components > MDM`
- Enable:
- Enable automatic MDM enrollment using default Azure AD credentials
- Select:
- Device Credential
- Set MDM Service to Intune
Post GPO Verification
- Login with Azure AD user
- Go to Settings > Accounts > Access work or school
- Device shows Connected to Intune MDM
- Verify in Microsoft Intune Admin Center > Devices
