Entra ID Device Join Types define the relationship between a device and your organization. Different join types give different levels of trust, control, and access. There are three: Entra Joined, Entra Registered, and Entra Hybrid Joined. Two of these (Joined / Registered) cover 95% of real-world tenants — this guide focuses on those, with a brief intro to Hybrid at the end. Hybrid Join gets a dedicated walkthrough later in the pathway.
Two analogies that make it stick:
- Joined = ID card — the device is a corporate asset, IT manages every detail, the organization owns it.
- Registered = visitor badge — the device is personal, the user owns it, IT only enforces access policies for corporate apps.
The three device join types — overview
| Join Type | In simple words | Covered here? |
|---|---|---|
| Entra Joined | Company device, fully managed by IT | Yes |
| Entra Registered | Personal device (BYOD), user-controlled, limited org oversight | Yes |
| Entra Hybrid Joined | Company device joined to BOTH on-prem AD and Entra ID | Brief intro, full walkthrough in later post |
Entra Joined devices
What “joined” means
When a device is joined to Entra ID, the device itself has been registered and trusted by the organization at a deep level. The device is a corporate asset — like giving a new employee an ID card that lets them walk through every secured door in the building.
The device communicates directly with Entra ID. The IT team can push policies, deploy software, enforce security settings, and remotely wipe the device if it’s lost or stolen.
Key characteristics
- The device is owned and issued by the organization
- Fully managed — IT can install software, apply Group Policy, enforce encryption, and remotely wipe
- Users log in with their organizational credentials (e.g.,
jdoe@company.com), not a local Windows account - Join typically happens during initial device setup (Out-of-Box Experience / OOBE) or when IT onboards the device
- Single Sign-On (SSO) works seamlessly — once logged in, users access all corporate apps without re-entering credentials
- MDM (Mobile Device Management) tools like Microsoft Intune are automatically applied
- Works well when offline — Entra ID credentials are cached locally
How the join happens
Method 1 — during Windows Setup (OOBE)
- New device is powered on for the first time
- During the setup wizard, user is asked to sign in with a work or school account
- User enters their organizational email + password
- Windows joins the device to Entra ID and applies all organizational policies
Method 2 — from Settings on an existing device
- Settings → Accounts → Access work or school
- Click Connect → choose Join this device to Microsoft Entra ID
- Enter organizational credentials
- Device is joined and policies are applied
Real-world example: A bank hires a new employee. IT gives them a company laptop. During first-time setup, the employee signs in with their company email. The laptop becomes Entra Joined — IT can now manage it fully, enforce password policies, encrypt the hard drive, and remotely wipe it if the employee leaves or the device is stolen.
What the organization can control
- Force BitLocker encryption on all joined devices
- Deploy software (antivirus, M365 apps) automatically via Intune
- Set password complexity and screen lock policies
- Block USB drives or restrict printing
- Remotely wipe or lock the device
- Enforce Conditional Access — e.g., block login if device isn’t compliant
Entra Registered devices
What “registered” means
When a device is registered with Entra ID, the device has been introduced to the organization’s identity system, but the organization does NOT take full control. Visitor badge: visitor allowed in certain areas, company doesn’t manage their personal belongings.
This is the BYOD (Bring Your Own Device) model. The user keeps full control of their personal phone, tablet, or laptop. The organization only enforces access policies — for example, requiring that the device has a screen lock or an up-to-date OS before allowing access to corporate email.
Key characteristics
- The device is owned by the user — their personal device
- The organization does NOT fully manage it — IT cannot remotely wipe the whole device or install software freely
- Users register using a personal Microsoft account or their work account through an app (Microsoft Authenticator, Company Portal)
- The organization can apply Conditional Access policies (e.g., “only allow access to company email if this device has a PIN and updated OS”)
- SSO is partial — some apps support it, others may require separate login
- MDM enrollment is optional and usually limited to corporate apps, not the whole device
- Registration can be done at any time by the user — no IT involvement required
How registration happens
Registration is always user-initiated and simple.
Method — via Authenticator app or Company Portal
- User downloads Microsoft Authenticator or Intune Company Portal app on their personal device
- Signs in with work account
- App guides them to register the device
- Device is now registered — user can access Outlook, Teams, SharePoint
Method — via Windows Settings (for personal Windows PCs)
- Settings → Accounts → Access work or school
- Click Connect
- Enter work email and password
- Choose Register (NOT Join) — the device is registered but not fully managed
Real-world example: A hospital employee wants to check work emails on their personal iPhone. IT does not want to manage the personal phone — but they need to ensure only trusted devices access patient data. Employee registers their iPhone with Entra ID via the Authenticator app. IT can now apply a Conditional Access policy requiring a PIN and up-to-date iOS, but cannot wipe or control the phone beyond that.
What the organization can control on a registered device
- Apply Conditional Access policies — block or allow access based on device compliance
- Require minimum OS version or screen lock before allowing corporate app access
- Selectively wipe ONLY corporate data (remove the corporate email profile, not the entire device)
- Require MFA when accessing corporate resources
Important limitation: The organization CANNOT push software to the entire device, enforce full disk encryption, or wipe the whole device. That level of control requires Entra Join, not registration.
Side-by-side comparison
| Feature | Entra Joined | Entra Registered |
|---|---|---|
| Who owns the device? | Organization (corporate asset) | User (personal device) |
| Primary use case | Work-only corporate laptops/desktops | Personal phones, tablets, laptops (BYOD) |
| Identity used to join | Entra ID (organizational account) | Personal or organizational account |
| Org manages the device? | Yes — full management via Intune/GPO | No — limited, only conditional access |
| Works without internet? | Yes — Entra ID credentials cached | Depends on device and app settings |
| SSO to corporate apps? | Yes — seamless | Partial — varies by app and policy |
| MDM enrollment | Automatic (Intune or other MDM) | Optional / user-initiated |
| Typical users | Full-time employees with company devices | Contractors, remote staff, BYOD users |
| Setup time | During device setup / onboarding | User self-registers anytime |
Real-world scenarios — which join type to use?
| Scenario | Use | Why |
|---|---|---|
| New employee gets a company laptop | Entra Joined | Full management needed, corporate device |
| Employee checks email on personal phone | Entra Registered | BYOD — org should not manage personal device |
| Remote contractor accesses SharePoint | Entra Registered | They have their own device, not company-owned |
| IT admin sets up a shared office desktop | Entra Joined | Shared corporate device, needs full control |
| Executive wants work apps on personal iPad | Entra Registered | BYOD — personal device, limited org control |
What about Entra Hybrid Joined? (brief intro)
Hybrid Join is designed for organizations that have BOTH an on-premises Active Directory AND use Microsoft Entra ID in the cloud. A Hybrid Joined device is connected to both simultaneously.
This is common in large enterprises that have been using traditional Windows Server AD for years and are gradually moving to the cloud. Their existing domain-joined computers become Hybrid Joined — they remain under on-prem AD management while also being registered in Entra ID for cloud access.
In simple words: Hybrid Join = old-school domain join + Entra ID together. Bridges the gap between traditional IT infrastructure and modern cloud identity. Full setup walkthrough in a later post in the pathway.
Frequently asked questions
Is Microsoft Entra ID the same as Azure Active Directory?
Yes. Microsoft rebranded Azure AD to Microsoft Entra ID in 2023. The technology is the same — only the name changed. You may still see “Azure AD” in older documentation, tutorials, and some settings menus.
Can a device be both Entra Joined AND Entra Registered at the same time?
No. A device can only have one join type at a time. It is either Joined (corporate, fully managed), Registered (personal, limited control), or Hybrid Joined.
If I register my personal phone, can my employer see my photos / messages / apps?
No. Registration only gives the organization visibility into basic device compliance — whether you have a screen lock or updated OS. Personal photos, messages, banking apps, and other personal data remain completely private and inaccessible to the org.
What happens to my data if I leave the company and my device is Entra Joined?
Since Entra Joined devices are corporate property, IT can remotely wipe the entire device. Device and all its data can be reset. This is why Entra Join is only used on company-owned devices, not personal ones.
What about a personal device that was Entra Registered?
The org can selectively remove only the corporate data — for example, remove the work email account and any corporate app data. Personal photos, apps, and data remain completely untouched.
Do I need internet access for an Entra Joined device to work?
Not necessarily. When you first log in with internet access, your credentials are cached locally. After that, you can log in offline. However, for policy updates, software deployments, and accessing cloud resources, internet access is required.
Can a Mac or Linux device be Entra Joined?
Entra Join (full join) is currently supported only on Windows 10 and Windows 11 devices. Mac, iOS, Android, and Linux can be Entra Registered, and managed through Intune with limitations, but cannot be fully Entra Joined the same way Windows can.
What is Conditional Access and how does it relate?
Conditional Access is a set of rules that control who can access what, based on conditions. Example: “Allow access to email only if device is Entra Joined or Registered AND has a screen lock AND runs a supported OS version.” Both Joined and Registered devices can be subject to CA. See Part 7 for the policy walkthrough.
Is MDM enrollment mandatory when a device is Entra Joined?
Depends on the org’s configuration. By default, Entra Join can trigger automatic MDM enrollment (usually into Microsoft Intune). If Intune is configured in the tenant, the device will automatically enroll during the join. The IT team can also configure this to be optional.
Which join type should a small business with 20 employees use?
For company-owned laptops and desktops used only for work, use Entra Join. For employees who want to check work email on their personal phones, use Entra Registered. Most small businesses use a combination depending on the device type and ownership.
Does Entra ID cost extra?
Microsoft Entra ID has a free tier that includes basic device registration and join features. Advanced features like Conditional Access, Identity Protection, and advanced MDM integration require Entra ID P1 or P2 licenses, which are included in Microsoft 365 Business Premium and Enterprise plans.
What’s next
This was the conceptual map. The next post in the Entra ID Security pathway walks through the actual Entra Join procedure — OOBE, Settings > Accounts, troubleshooting common errors, and verifying join state.