Windows 10 Workplace join (AAD registered) - risks?

Bradley North 21 Reputation points


I have read a lot of articles about Azure Active Directory, windows endpoint manager and Intune. I understand the differences between AAD joined devices and registered ones (workplace joined).

One thing I haven't seen a clear answer to is the differences in options available to administrators to manage those devices. I understand that AAD joined devices can be enrolled into Intune and there are a whole host of options available, including "full wipe" to factory reset the device erasing all data. What about the devices that are just AAD registered? I have read that they can have policies set and about conditional access, but:

  1. If I workplace join my personal device can it be enrolled into Intune or another MDM automatically?
  2. Can my device be "full wiped" in the same way as an AAD joined device if an administrator so wishes? Or is that not at all possible with a personal, registered device?


Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,694 questions
0 comments No comments
{count} votes

Accepted answer
  1. Mr Sb 356 Reputation points

    To answer your questions:

    1. It depends on your MDM / MAM user scope.
    2. No, that is not possible. You can only delete the device from Azure AD which will cause the device to be un-authenticated, meaning that the user has to sign-in again on any Microsoft365 app.

    Azure AD registered devices have nothing to do with any type of enrollment. Azure AD registration is enabled by default when using Microsoft365 services.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Jason Sandys 31,186 Reputation points Microsoft Employee

    Also, keep in mind AAD registration for Windows is generally meant for BYOD and should be avoided for enterprise systems.

    0 comments No comments