Understand device identities in Microsoft Entra ID

  • 8 minutes

Device identities let Microsoft Entra ID represent, manage, and secure the devices that access your organization's resources. They are objects in Microsoft Entra ID that represent a single physical or virtual device. The identity includes attributes that describe the device (for example, device type and OS), ownership and management details, and the device’s authentication state. Microsoft Entra uses device identities to apply policies, make conditional access decisions, and target management tasks in Intune. Key attributes for device identities include:

  • Device ID: Unique GUID for the device object.
  • Device name: Human-readable name shown in admin portals.
  • Join type: Indicates if the device is Registered, Entra joined, or Hybrid Entra joined.
  • Device ownership: Company or Personal — used for targeting and compliance scope.
  • Operating system and version: Used for compliance rules and update policies.
  • Registered owners and users: Links to user objects that are associated with the device.
  • Device compliance and management: Shows whether Intune manages the device and its compliance state.

Device lifecycle and common states

During a device's lifecycle they can display different states during different times in their lifecycle depending on the way a device joins your organization and the underlying architecture of device management you choose.

  • Registered: The device has a lightweight relationship with Entra ID (device registration). Users or apps may rely on device identity for single sign-on and some conditional access checks.
  • Entra joined: The device is joined to Entra ID and becomes a primary identity for sign-in. This is common for corporate-owned Windows devices.
  • Hybrid Entra joined: The device is domain-joined to on-premises Active Directory and automatically registered with Microsoft Entra ID via Microsoft Entra Connect. This fits traditional enterprise deployments that need on-premises domain services and cloud management.
  • Managed: The device is enrolled in Intune (or another MDM) and receives configuration, apps, and compliance policies.
  • Retired/Removed: The device object is disabled or deleted when the device gets decommissioned or is wiped.

Understanding these states helps you choose the right enrollment and join approach for your environment and ensures policies apply correctly.

How device identities are used

Device identities enable the management of devices in a similar way to how user identities are managed in Entra ID, and they are used to control device behavior and access across Microsoft 365 workloads. They are the foundation for conditional access, compliance enforcement, and Intune management.

  • Conditional access: Evaluate device state (managed, compliant, joined) to allow or block access to resources from specific devices or device types.
  • Intune targeting: Assign device configuration profiles, compliance policies, and apps by using device object properties and groups.
  • Inventory and reporting: Use device attributes and reports to identify unsupported OS versions, unmanaged devices, or risky devices.

Registering devices in Entra ID improves security and compliance measures in your organization and allows you to use additional functionalities of Microsoft Entra ID.

To keep Device identities consistent and manageable you should decide on a set of principles that your device enrollment adheres to. These are commonly used practices you can use as a starting point:

  • Prefer Entra join for corporate Windows devices that authenticate directly to Entra ID.
  • Block Personal Windows device enrollment to maintain granular control over your Windows device fleet.
  • Use Hybrid Entra join when devices require on-premises domain resources but you want cloud-based control and reporting.
  • Keep device names and tags consistent to simplify group rules and device filters.
  • Monitor device lifecycle events and automate retire/wipe operations for lost or decommissioned devices.

By understanding object attributes and lifecycle states you can design appropriate join and enrollment strategies, target policies accurately, and keep your devices secure.