Hi @Tyric Sunstrider • Thank you for reaching out.
My understanding is that you are having some doubts on what administrators can and cannot see once you are using Entra ID on a personal device?
Can you please elaborate a bit more on what exact procedure you are being asked to follow for what you are describing as hooking your device up to Entra ID?
- Are you being asked to set up a work account on your personal device by following this procedure here? Manage user accounts in Windows and/or set up multifactor authentication on your phone using Microsoft Authenticator or a different Authenticator application?
- Are you being asked to register your device in Entra by following this procedure here? Register your personal device on your work or school network?
- Are you being asked to join a specific domain within your operating system configuration by your IT administrator?
- Are you being asked to install additional software or agents to achieve the registration process by the IT administrator?
The ability of what the IT department of your employer will be able to perform will depend on the way your personal device would be integrated.
The typically recommended way for device registrations for personal devices would be a simple device registration. A quick overview for this scenario is described in the following Learn Article: Microsoft Entra registered devices.
Without knowing the exact setup your employer is currently utilizing this method would usually be used to configure something called Conditional Access Policies which you can find an overview of here: What is Conditional Access?, as a quick summary this allows your employer to allow you access to specific company resources via an assigned identity, for your specific device if it was registered in Entra.
This method cannot be used to control anything like file copy processes or remote screen recordings on your device.
Conditional Access can also be used to enforce other identity types, without the need to ever register or your join device to Entra, in this case you would simply be adding the work account to your device and utilize the authentication mechanism of Entra ID to prove that you are you in which turn your employer can authorize you then for access for corporate resources again, in this case the identity not being your device but rather your access to your account (with optional multiple factor authentication via Windows Hello, Passkeys, SMS authentication etc.).
In summary both methods will not allow your employer to install anything without your consent onto your personal device, read local files from your hard drive or monitor/record your screen. They facilitate access to company resources by proving your identity one way or the other on a not corporate managed device.
That being said, if you are being asked to install additional software onto your personal device the abilities of your employer may change, this will be highly dependent on what type of software you are being asked to install, common asks would be device management solutions (which can enforce software installations, minimum patch levels, restrict certain functionality of the operating system to be managed by yourself etc.), prior to installing any software it is usually best to consult the website of the vendor of the software what actions it allows. Should you be asked to install software that is from Microsoft feel free to mention the software name and I can do some digging for you in terms of what capabilities it would allow your IT administrator on the device and point you to the correct documentation to validate this on your own to gain an understanding on what can or cannot be done. If it is a third party software I would advice a general internet search for the software name and its capabilities.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.