Ask Downloads
Domain 1 β€” Module 1 of 7 14%
1 of 27 overall
Domain 1: Prepare Infrastructure for Devices Free ⏱ ~12 min read

Device Identity: Join, Register & Hybrid

Every device needs an identity in your cloud directory before you can manage it. Learn the three ways devices connect to Microsoft Entra ID β€” and when to use each one.

How do devices get an identity?

Simple explanation

Think of Microsoft Entra ID as the building’s reception desk.

Before anyone can use the lifts, meeting rooms, or printers, they need a badge. Devices work the same way β€” they need an β€œidentity badge” in your cloud directory before Intune can manage them.

There are three ways to get that badge:

  • Entra Joined β€” the device lives in the cloud full-time (like a permanent employee badge)
  • Entra Registered β€” the device just checks in occasionally (like a visitor pass for personal devices)
  • Hybrid Joined β€” the device has badges for both on-prem Active Directory AND the cloud (like an employee who works in two offices)

The three join types

Sam Chen at Tui Solutions is migrating 500 devices from on-prem Active Directory to cloud-native management. His fleet includes corporate Windows laptops, shared tablets in the warehouse, and employees who occasionally use personal phones. Each device type needs a different approach.

FeatureEntra JoinedEntra RegisteredHybrid Joined
Device ownershipCorporate-ownedPersonal (BYOD)Corporate-owned
Signed in withEntra ID accountPersonal account + work account addedOn-prem AD account synced to Entra
On-prem AD required?NoNoYes
Supported OSWindows 10/11, Windows Server 2019+Windows, iOS, Android, macOSWindows 10/11, Windows Server
Full device managementYes (Intune)No (app-level only)Yes (Intune + GPO)
Conditional Access supportFullLimitedFull
SSO to cloud resourcesYesYes (for added account)Yes
SSO to on-prem resourcesVia cloud trust or KerberosNoYes (native AD)
Best forNew cloud-first deploymentsBYOD / personal devicesMigration from on-prem AD

When to use which join type

Here’s Sam’s decision process for Tui Solutions:

New corporate laptops (ordered fresh, no existing AD relationship) β†’ Entra Joined β€” these go straight to the cloud. No reason to touch on-prem AD.

Existing corporate laptops (currently domain-joined to on-prem AD) β†’ Hybrid Joined β€” Sam can’t rip out on-prem AD overnight. Legacy apps still need Kerberos authentication. Hybrid join lets devices talk to both directories during migration.

Personal phones and tablets (employees checking email on their own devices) β†’ Entra Registered β€” Sam doesn’t own these devices. Registration lets users access work apps while app protection policies keep corporate data safe.

Exam tip: the migration path

The exam loves to test when hybrid join makes sense vs pure Entra join. The key deciding factor is: does the organisation still rely on on-premises Active Directory for authentication or Group Policy?

  • If yes β†’ Hybrid Join (transitional)
  • If no (or starting fresh) β†’ Entra Joined (target state)
  • Personal devices β†’ always Entra Registered

Microsoft’s recommended end state is Entra Joined (cloud-native). Hybrid join is the bridge, not the destination.

How to join a device to Entra ID

Entra Join (corporate devices)

There are several ways to Entra-join a device:

  1. Windows OOBE (Out-of-Box Experience) β€” during first setup, user selects β€œSet up for an organisation” and signs in with Entra credentials
  2. Windows Settings β€” Settings β†’ Accounts β†’ Access work or school β†’ Connect β†’ Join this device to Microsoft Entra ID
  3. Windows Autopilot β€” fully automated join during device provisioning (covered in Module 8)
  4. Bulk enrollment β€” using a provisioning package for kiosk/shared devices

Entra Registration (personal devices)

  1. Windows Settings β€” Settings β†’ Accounts β†’ Access work or school β†’ Connect (without selecting β€œJoin”)
  2. Company Portal app β€” on iOS/Android, install Company Portal and sign in
  3. Microsoft Authenticator β€” on mobile devices, add a work account

Hybrid Join

  1. Entra Connect Sync β€” configure device writeback in Entra Connect
  2. Devices join on-prem AD normally β†’ Entra Connect syncs the device object to Entra ID
  3. Requires Entra Connect (or Cloud Sync) with device sync enabled
Deep dive: Entra Connect vs Cloud Sync for hybrid join

For hybrid join, devices must be synced from on-prem AD to Entra ID:

  • Entra Connect Sync β€” the original sync tool. Supports device writeback and hybrid join configuration. Requires an on-prem server.
  • Entra Cloud Sync β€” lighter weight, agent-based. Supports hybrid join as of recent updates. Easier to set up for multi-forest environments.

Both achieve the same result: creating a device object in Entra ID that mirrors the on-prem AD computer object. The exam may ask about prerequisites β€” both require the device to have line-of-sight to a domain controller and internet access to reach Entra endpoints.

Real-world scenario: Sam’s migration plan

Sam’s approach at Tui Solutions (500 devices):

PhaseActionJoin Type
NowNew laptops ship as Entra Joined via AutopilotEntra Joined
NowExisting laptops get Hybrid Joined via Entra ConnectHybrid Joined
NowEmployee personal phones registered via Company PortalEntra Registered
6 monthsMigrate legacy apps off Kerberos β†’ modern authβ€”
12 monthsConvert hybrid devices to Entra Joined (re-image or reset)Entra Joined
End stateAll corporate devices Entra Joined, BYOD registeredCloud-native

Key exam concept: Microsoft recommends moving toward cloud-native (Entra Joined) as the target state. Hybrid join is a transitional step for organisations that still depend on on-premises Active Directory.

🎬 Video walkthrough

Flashcards

Question

What are the three ways a device can have an identity in Microsoft Entra ID?

Click or press Enter to reveal answer

Answer

1. Entra Joined (corporate, cloud-native) 2. Entra Registered (personal/BYOD, lighter management) 3. Hybrid Joined (both on-prem AD and Entra ID, transitional during migration)

Click to flip back
Question

When should you use Hybrid Join instead of Entra Join?

Click or press Enter to reveal answer

Answer

When the organisation still relies on on-premises Active Directory for authentication (Kerberos) or Group Policy. Hybrid join is a transitional state β€” the target is cloud-native Entra Join.

Click to flip back
Question

What tool syncs on-prem AD device objects to Entra ID for hybrid join?

Click or press Enter to reveal answer

Answer

Microsoft Entra Connect Sync (or Entra Cloud Sync). Both create a mirrored device object in Entra ID from the on-prem AD computer account.

Click to flip back
Question

What's the key difference between Entra Joined and Entra Registered?

Click or press Enter to reveal answer

Answer

Entra Joined = corporate-owned device, full management via Intune, user signs in with Entra account. Entra Registered = personal device, app-level management only, user adds a work account alongside their personal account.

Click to flip back

Knowledge Check

Knowledge Check

Sam is setting up new laptops for Tui Solutions. The company has no on-premises Active Directory β€” everything is cloud-based. Which device join type should Sam use?
Knowledge Check

An employee at Tui Solutions wants to check work email on their personal iPhone. What's the appropriate Entra ID relationship for this device?
Knowledge Check

Chen Wei at Meridian Bank needs to manage 10,000 Windows devices that are currently joined to on-premises Active Directory. The bank still uses Kerberos authentication for several legacy financial applications. What join type should Chen Wei implement?

Next up: Build the Right Device Groups β€” organising your devices with dynamic membership, assigned groups, and filters.