User & Group ManagementDevice Identity & Registration

Device Identity & Registration

25 mins

Understanding the Concept

Device identity in Microsoft Entra ID determines how devices are managed and how they interact with cloud resources. There are three join types: Entra registered (BYOD personal devices), Entra joined (cloud-only corporate devices), and Entra hybrid joined (on-premises domain-joined devices also registered in Entra ID).

Entra registered devices allow users to access corporate resources from personal devices with minimal IT control. Entra joined devices are fully managed cloud devices - ideal for cloud-first organizations. Hybrid joined devices bridge the gap for organizations with existing on-premises AD infrastructure.

Device-based Conditional Access policies can require managed or compliant devices for access. Intune compliance policies define what constitutes a compliant device (encryption, OS version, antivirus). Device identity is a cornerstone of Zero Trust - you must verify both the user AND the device.

Key Points

  • Entra Registered: BYOD devices, user-level association, minimal IT control
  • Entra Joined: Cloud-managed corporate devices, replaces domain join
  • Hybrid Joined: Domain-joined + Entra registered, for transition scenarios
  • Device compliance via Intune enforces security baselines
  • Primary Refresh Token (PRT) enables SSO on Entra joined/registered devices

Device Join Types Comparison

Step 1

Entra Registered

Personal device, user signs in with Entra ID, device not IT-managed

Step 2

Entra Joined

Corporate device, fully cloud-managed, no on-prem domain needed

Step 3

Hybrid Joined

Domain-joined + cloud-registered, synced via Entra Connect

Step 4

Compliance

Intune checks encryption, OS patches, antivirus status

Why This Matters in Real Organizations

In Zero Trust, device identity is as important as user identity. An authenticated user on a compromised or unmanaged device is still a risk. Device-based policies ensure that only healthy, managed devices can access sensitive resources.

Common Mistakes to Avoid

Confusing the three device join types and their requirements
Not understanding that hybrid join requires Entra Connect device writeback
Attempting to require compliant devices without Intune enrollment
Forgetting that Entra joined devices cannot access on-prem resources without special configuration

Interview Tips

  • Clearly differentiate the three join types with use cases
  • Explain the Primary Refresh Token and how it enables SSO
  • Discuss device-based Conditional Access for Zero Trust

Exam Tips (SC-300)

  • Know the three device join types and requirements for each
  • Understand device compliance requires Intune
  • Know how device state is used in Conditional Access policies

Course Complete!

You've finished all lessons

Previous|Next|HHome