Microsoft Entra ID

Tyric Sunstrider 0 Reputation points
2024-11-28T13:08:34.1733333+00:00

Hello...

I work in a small family business and we're starting to grow. In a recent network setup they are implementing, we will be hooking our devices with Microsoft Entra IDs.

The thing is that they are asking to sign in our company PCs and also our personal laptops (we do some WFH and they do not provide laptops).

I understand that they can pull info like active/idle times, all Microsoft App logs, but I am concerned about my personal privacy;

  • What information will they be able to pull? - Can they monitor the screens?
  • Can they copy files without my consent?

I'm not paranoid, I just want to make sure that they aren't asking for more that what they're entitled for.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,472 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. FrankEscarosBuechsel-MSFT 175 Reputation points Microsoft Employee
    2024-11-28T13:53:09.8533333+00:00

    Hi @Tyric Sunstrider • Thank you for reaching out.

    My understanding is that you are having some doubts on what administrators can and cannot see once you are using Entra ID on a personal device?

    Can you please elaborate a bit more on what exact procedure you are being asked to follow for what you are describing as hooking your device up to Entra ID?

    1. Are you being asked to set up a work account on your personal device by following this procedure here? Manage user accounts in Windows and/or set up multifactor authentication on your phone using Microsoft Authenticator or a different Authenticator application?
    2. Are you being asked to register your device in Entra by following this procedure here? Register your personal device on your work or school network?
    3. Are you being asked to join a specific domain within your operating system configuration by your IT administrator?
    4. Are you being asked to install additional software or agents to achieve the registration process by the IT administrator?

    The ability of what the IT department of your employer will be able to perform will depend on the way your personal device would be integrated.

    The typically recommended way for device registrations for personal devices would be a simple device registration. A quick overview for this scenario is described in the following Learn Article: Microsoft Entra registered devices.

    Without knowing the exact setup your employer is currently utilizing this method would usually be used to configure something called Conditional Access Policies which you can find an overview of here: What is Conditional Access?, as a quick summary this allows your employer to allow you access to specific company resources via an assigned identity, for your specific device if it was registered in Entra.

    This method cannot be used to control anything like file copy processes or remote screen recordings on your device.

    Conditional Access can also be used to enforce other identity types, without the need to ever register or your join device to Entra, in this case you would simply be adding the work account to your device and utilize the authentication mechanism of Entra ID to prove that you are you in which turn your employer can authorize you then for access for corporate resources again, in this case the identity not being your device but rather your access to your account (with optional multiple factor authentication via Windows Hello, Passkeys, SMS authentication etc.).

    In summary both methods will not allow your employer to install anything without your consent onto your personal device, read local files from your hard drive or monitor/record your screen. They facilitate access to company resources by proving your identity one way or the other on a not corporate managed device.

    That being said, if you are being asked to install additional software onto your personal device the abilities of your employer may change, this will be highly dependent on what type of software you are being asked to install, common asks would be device management solutions (which can enforce software installations, minimum patch levels, restrict certain functionality of the operating system to be managed by yourself etc.), prior to installing any software it is usually best to consult the website of the vendor of the software what actions it allows. Should you be asked to install software that is from Microsoft feel free to mention the software name and I can do some digging for you in terms of what capabilities it would allow your IT administrator on the device and point you to the correct documentation to validate this on your own to gain an understanding on what can or cannot be done. If it is a third party software I would advice a general internet search for the software name and its capabilities.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.