Share via

Deleting "User Azure AD registered" devices will block user from logging in to e.g. Office Portal

Kiraz, Ayhan 1 Reputation point
2021-08-31T09:14:37.947+00:00

We have a Hybrid environment and the user authenticates with the local Active Directory (AD).

Unfortunately a few devices are now automatically azure ad registered in the Azure Active Directory (AAD).

We now use GPOs to prevent more devices to be joined automatically by the user.

After I try to delete these devices from the AAD, the user gets blocked and can't access to any ressources of our tenant e.g. Portal.office.com.

The licence of the thenant is "Azure AD Free".

Is there a way to separate the device and the user so I can just delete the device from AAD without affecting the user?

Best regards, Ayhan

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee
    2021-08-31T11:48:45.253+00:00

    @KirazAyhan-6286 Thanks for reaching out.

    If your end goal is to have the devices joined to the Azure AD as Hybrid Azure AD join and Not like a Azure AD registered, you need to perform following :

    Upgrading to Windows 10 1803 (with KB4489894 applied) or above to automatically address this scenario.
    In pre-1803 releases, you will need to remove the Azure AD registered state manually before enabling Hybrid Azure AD join. In 1803 and above releases, the following changes have been made to avoid this dual state:

    Any existing Azure AD registered state for a user would be automatically removed after the device is Hybrid Azure AD joined and the same user logs in. For example, if User A had an Azure AD registered state on the device, the dual state for User A is cleaned up only when User A logs in to the device.

    If there are multiple users on the same device, the dual state is cleaned up individually when those users log in. In addition to removing the Azure AD registered state, Windows 10 will also unenroll the device from Intune or other MDM, if the enrollment happened as part of the Azure AD registration via auto-enrollment.

    Azure AD registered state on any local accounts on the device is not impacted by this change. It is only applicable to domain accounts. So Azure AD registered state on local accounts is not removed automatically even after user logon, since the user is not a domain user.

    Read more here : https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state
    Let us know if you have any questions.

    -----------------------------------------------------------------------------------------------------------------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments
  2. Kiraz, Ayhan 1 Reputation point
    2021-09-01T06:53:33.213+00:00

    Thank you @VipulSparsh-MSFT for your fast reply but what we just want to remove the devices in AAD and don't want them to join the AAD at all.

    We can delete/disable the Devices there but as I said, that will block the user from the ressources.

    Best, Ayhan

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.