Configure Microsoft Entra ID device registration settings

  • 10 minutes

Device registration settings in Microsoft Entra ID control how devices establish identities and join your organization. These settings determine who can register personal devices, join corporate devices to Microsoft Entra ID, and whether users can add local administrator accounts on Entra-joined devices. Configuring these settings properly balances user productivity with organizational security requirements.

Understanding device registration options

Microsoft Entra ID provides three distinct methods for devices to establish an organizational identity: registration, join, and hybrid join. Each method serves different scenarios and requires specific configuration.

Microsoft Entra registration (workplace join)

Users register their personal devices with your organization while maintaining personal control over the device. Registration enables single sign-on to organizational resources and basic management through Intune, but doesn't grant your organization full device control.

Microsoft Entra registration works for:

  • Personal Windows, iOS, Android and macOS devices
  • Bring-your-own-device (BYOD) scenarios
  • Devices where users need access to organizational email, files or applications

Microsoft Entra join

Microsoft Entra join connects corporate-owned devices directly to your Microsoft Entra tenant without requiring on-premises Active Directory. Joined devices receive organizational policies, configurations, and management through Intune.

Microsoft Entra join is appropriate for:

  • Cloud-first organizations without on-premises infrastructure
  • Corporate-owned Windows 10/11 devices
  • Devices that need full organizational control
  • Scenarios requiring BitLocker encryption management

Microsoft Entra hybrid join

Hybrid join extends existing on-premises Active Directory-joined devices with a Microsoft Entra identity. Devices remain domain-joined while also gaining cloud identity capabilities.

Hybrid join suits organizations that:

  • Maintain on-premises Active Directory infrastructure
  • Need gradual migration to cloud identity
  • Require access to both traditional and modern resources

Configuring device registration settings

You configure device registration through the Microsoft Entra admin center. These settings apply organization-wide, though you can scope some settings to specific users or groups.

Accessing device settings

To configure device registration:

  1. Sign in to the Microsoft Entra admin center as a Global Administrator or Cloud Device Administrator
  2. Navigate to Identity > Devices > Overview
  3. Select Device settings to view configuration options

Note

The Intune Administrator role provides read-only access to device settings and cannot save changes. Use Cloud Device Administrator or Global Administrator to modify device registration settings.

User settings for device registration

The Users may register their devices with Microsoft Entra ID setting controls Microsoft Entra registration (workplace join). Three options are available:

All: Any user in your organization can register their personal devices. This setting provides maximum flexibility but minimal control.

Selected: Only members of specified security groups can register devices. This option balances access with control by limiting registration to approved users or departments.

None: Users can't register personal devices. Organizations that prohibit BYOD or want strict control over all devices that access resources use this setting.

Tip

For organizations supporting BYOD, select Selected and create a security group for users approved to register personal devices. You can then enforce stricter compliance policies for these devices.

User settings for Microsoft Entra join

The Users may join devices to Microsoft Entra ID setting controls who can perform Microsoft Entra join operations on corporate-owned Windows devices. Options include:

All: Any user can join Windows devices to Microsoft Entra ID during Windows setup or through Settings.

Selected: Only members of specified security groups can join devices. This approach works well when IT pre-provisions devices and wants to control which users can complete the join process.

None: Users cannot join devices to Microsoft Entra ID. IT must perform all join operations, often during device provisioning before distributing devices to users.

Most organizations select All or Selected to enable out-of-box experiences where users can join their assigned corporate devices during initial setup.

Additional local administrators on Entra-joined devices

The Additional local administrators on all Microsoft Entra joined devices setting determines which users become local administrators on devices joined to Microsoft Entra ID.

By default, the user who joins a device becomes a local administrator on that device. You can add additional users or groups to this setting, and those principals become local administrators on all Microsoft Entra-joined devices.

Important considerations:

  • The Global Administrator role automatically grants local administrator rights on all Entra-joined devices
  • You can add security groups but not Microsoft 365 groups
  • Changes apply only to new device joins or when users sign in again
  • Avoid adding too many administrators, as this increases security risk

For organizations that need to strictly control local administrator access, configure this setting to include only IT support staff. Then, enforce policies that prevent standard users from elevating privileges.

Enable Microsoft Entra Local Administrator Password Solution (LAPS)

The Enable Microsoft Entra Local Administrator Password Solution (LAPS) setting allows your organization to store and automatically rotate the built-in local administrator password for Microsoft Entra joined and Microsoft Entra hybrid joined Windows devices.

When enabled, authorized IT staff can retrieve the current local admin password for a device through the Microsoft Entra admin center or Microsoft Intune, enabling break-glass access without sharing a common static password.

Note

Enabling this toggle in device settings is only the first step. You must also configure a Windows LAPS policy in Microsoft Intune (Endpoint security > Account protection) to activate password management on the devices. For full configuration details, see Microsoft Entra LAPS overview.

Restrict non-admin users from recovering BitLocker keys

The Restrict non-admin users from recovering the BitLocker key(s) for their owned devices setting controls whether standard users can view or copy BitLocker recovery keys for their own registered devices in the MyAccount portal.

When enabled, only IT staff with appropriate roles can retrieve BitLocker recovery keys, ensuring users can't self-recover keys without IT involvement.

Note

At least the Privileged Role Administrator role is required to change this setting.

Require multi-factor authentication to register or join devices

The Require Multi-Factor authentication to register or join devices setting determines whether users must complete multi-factor authentication (MFA) before registering or joining a device.

When enabled:

  • Users must complete MFA the first time they register or join a device
  • After initial registration, future sign-ins follow your conditional access policies
  • Provides additional security against unauthorized device registration

Tip

Microsoft recommends using a Conditional Access policy targeting the Register or join devices user action with an MFA grant control, rather than the legacy toggle above. Conditional Access provides more flexible enforcement, including support for named locations, sign-in risk, and compliance conditions.

Warning

If you configure a Conditional Access policy to require MFA for device registration, you must set this device settings toggle to No. Enabling both simultaneously causes the Conditional Access policy to not be properly enforced. Also note that this legacy toggle does not apply to Microsoft Entra hybrid joined devices or Windows Autopilot self-deployment mode.

Most security-conscious organizations either enable this setting or implement an equivalent Conditional Access policy to prevent attackers with stolen credentials from registering unauthorized devices.

Maximum number of devices per user

The Maximum number of devices per user setting limits how many devices a single user can register or join. Choose a value between 1 and 100, or select Unlimited. The default value is 50.

Note

Values above 100 are automatically capped at 100 by Microsoft Entra ID.

Considerations for setting limits:

  • Users typically need multiple devices: desktop, laptop, tablet, phone
  • Setting too low a limit creates help desk issues when users reach their maximum
  • Setting no limit allows potential abuse or misconfiguration
  • Deleted devices don't immediately free up quota; first they are soft-deleted for 30 days

A common approach: Set the limit to 10-15 for most users, allowing some flexibility while preventing excessive registration. Monitor usage to adjust as needed.

Note

This setting counts both registered and joined devices toward the user's total.

Device identifiers for corporate-owned devices

Microsoft Entra ID automatically marks devices as corporate-owned when they meet certain criteria. You can also manually mark devices using corporate identifiers.

Automatic corporate device marking

Devices are automatically marked as corporate-owned when:

  • Enrolled through Windows Autopilot
  • Enrolled through Apple Automated Device Enrollment (ADE)
  • Enrolled as Android Enterprise fully managed, dedicated, or corporate-owned work profile devices
  • Purchased through Apple Business Manager or Apple School Manager

Manual corporate identifiers

For devices that don't automatically register as corporate-owned, you can upload corporate identifiers:

  1. Navigate to Identity > Devices > Overview
  2. Select Corporate device identifiers
  3. Select Add identifiers
  4. Choose identifier type: IMEI (International Mobile Equipment Identity) or serial number
  5. Upload a CSV file with device identifiers
  6. Select Add to import the identifiers

When a device with a matching identifier enrolls in Intune, Microsoft Entra ID marks it as corporate-owned, enabling additional management capabilities and stricter policy enforcement.

Enterprise State Roaming

Enterprise State Roaming synchronizes user settings and application data across Windows devices. When enabled, users' desktop settings, preferences, and application configurations roam between their Windows 10/11 devices.

This feature requires Microsoft Entra ID P1 or P2 licenses and benefits users who work on multiple Windows devices. Settings sync through Microsoft Entra ID, keeping data in the cloud rather than syncing devices directly.

To enable Enterprise State Roaming:

  1. Navigate to Identity > Devices > Overview
  2. Select Enterprise State Roaming
  3. Choose All to enable for all users or Selected for specific groups
  4. Select Save

Best practices for device registration settings

Implement these practices to balance security and usability:

  • Define device ownership policies: Clearly document whether your organization supports BYOD and under what conditions
  • Use group-based controls: Use Selected options with security groups for fine-grained control
  • Enable MFA for device registration: Add an additional layer of security to prevent unauthorized device registration
  • Set reasonable device limits: Allow enough devices for legitimate use without permitting excessive registrations
  • Regular device cleanup: Implement processes to remove stale or unused device registrations
  • Monitor device registrations: Review audit logs for unusual registration patterns that might indicate security issues
  • Align with compliance requirements: Ensure settings meet industry regulations and corporate security policies