Windows devices can be registered with Azure AD or joined to Azure AD. Other operating systems, such as iOS, Linux, macOS, and Android, can only be registered.
Generally, corporately owned devices running Windows should be Azure AD-joined, whereas users’ own devices running Windows should be registered with Azure AD.
Remember, ONLY Windows devices can be joined to Azure AD.
After a user registers or joins their device with Azure AD, it is “known” to Azure AD, and information about the device is stored in Azure AD. Effectively, the device is given an identity with Azure AD. You can then create conditional access policies to determine whether access to resources from your users’ devices will be granted.
Azure AD–registered devices enable users to use personally owned devices to access your organization’s resources in a controlled manner. Azure AD supports Bring Your Own Device (BYOD) scenarios for multiple devices, including Windows 11, iOS, Android, and macOS.
With an Azure AD–registered device, the user gains access to resources using a work or school Azure AD account at the time they access the resources. All corporate data and apps are kept completely separate from the personal data and apps on the device. If the personal computer, tablet, or phone that is registered with Azure AD doesn’t meet your corporate standards for security and compliance—for example, if a device is not running a supported version of the operating system or has been rooted— the access to the resource is denied.
The main reasons for implementing device registration are
- Enabling access to corporate resources from nondomain–joined or personally owned devices.
- Enabling SSO for specific apps and/or resources managed by Azure AD.
After you enable device registration, users can register and enroll their devices in your organizational tenant. After they have enrolled their devices
- Enrolled devices are associated with a specific user account in Azure AD.
- A device object is created in Azure AD to represent the physical device and its associated user account.
- A user certificate is installed on the user’s device.
Azure AD–Joined Device
Joining a Windows 11 device to Azure AD is similar to registering a device with Azure AD, but it enables enhanced management capabilities. After a device has been joined to Azure AD, the local state of a device changes to enable your users to sign into the device using the work or school account instead of a local account.
An enterprise typically joins its owned devices to the Azure AD to allow for cloud-based management of the devices and to grant access to corporate apps and resources.
Organizations of any size can deploy Azure AD Join. Azure AD Join works well in a cloud-only (no on-premises infrastructure) environment. When Azure AD Join is implemented in a hybrid environment, users can access both cloud and on-premises apps and resources.
Azure AD–joined devices enable your users to access the following benefits:
- SSO Enables users simplified access to Azure-managed SaaS apps, services, and work resources.
- Enterprise-compliant roaming User settings can be roamed across joined devices using their Azure AD–joined devices (without the need to sign in using a Microsoft account).
- Windows Hello Devices can be secured using the enterprise features of Windows Hello.
- Restriction of access Devices can only access apps that meet the organizational compliance policy.
- Seamless access to on-premises resources Hybrid Azure AD–joined devices can access on-premises resources when connected to the domain network.
Organizations that already have Microsoft 365 or other SaaS apps integrated with Azure AD have the necessary components in place to have devices managed in Azure AD instead of being managed in Active Directory.
