Microsoft Entra hybrid joined devices
Organizations with existing Active Directory implementations can benefit from some of the functionality provided by Microsoft Entra ID by implementing Microsoft Entra hybrid joined devices. These devices are joined to your on-premises Active Directory and registered with Microsoft Entra ID.
Microsoft Entra hybrid joined devices require network line of sight to your on-premises domain controllers periodically. Without this connection, devices become unusable. If this requirement is a concern, consider Microsoft Entra joining your devices.
|Microsoft Entra hybrid join||Description|
|Definition||Joined to on-premises AD and Microsoft Entra ID requiring organizational account to sign in to the device|
|Primary audience||Suitable for hybrid organizations with existing on-premises AD infrastructure|
|Applicable to all users in an organization|
|Operating Systems||Windows 11, Windows 10 or 8.1 except Home editions|
|Windows Server 2008/R2, 2012/R2, 2016, 2019 and 2022|
|Provisioning||Windows 11, Windows 10, Windows Server 2016/2019/2022|
|Domain join by IT and autojoin via Microsoft Entra Connect or ADFS config|
|Domain join by Windows Autopilot and autojoin via Microsoft Entra Connect or ADFS config|
|Windows 8.1, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 - Require MSI|
|Device sign in options||Organizational accounts using:|
|Passwordless options like Windows Hello for Business and FIDO2.0 security keys.|
|Device management||Group Policy|
|Configuration Manager standalone or co-management with Microsoft Intune|
|Key capabilities||SSO to both cloud and on-premises resources|
|Conditional Access through Domain join or through Intune if co-managed|
|Self-service Password Reset and Windows Hello PIN reset on lock screen|
Use Microsoft Entra hybrid joined devices if:
- You support down-level devices running Windows 8.1, Windows Server 2008/R2, 2012/R2, 2016.
- You want to continue to use Group Policy to manage device configuration.
- You want to continue to use existing imaging solutions to deploy and configure devices.
- You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.