Describe Microsoft Entra join
With Windows 10 or later, in addition to joining an AD DS domain, you can now join a device to Microsoft Entra ID. Along with creating user accounts in Microsoft Entra ID, you can now have objects that represent devices in Microsoft Entra ID, and you can manage devices that are joined to Microsoft Entra ID from the cloud.
Before you decide whether you want to join a device to an AD DS domain or to Microsoft Entra ID, it’s important to understand the difference between these two concepts. Devices that join an AD DS domain must run a supported operating system version; for example, Home editions of the Windows and Windows RT operating systems do not support joining a domain. Devices that are capable of joining an AD DS domain usually access on-premises applications and services. Devices also can access some cloud resources if you integrate the domain accounts and Microsoft accounts.
The scope of devices that are capable of joining Microsoft Entra ID is larger than for AD DS. Typically, only devices running Windows Pro or Enterprise Edition can join an AD DS domain. However, devices running operating systems such as Windows Home (including Pro & Enterprise), iOS or Android can join Microsoft Entra ID. When joining a device to Microsoft Entra ID, it is fully capable of accessing cloud-based resources and Azure-based resources by using SSO. From a management perspective, you cannot manage these devices by using Group Policy, but you can use Intune to manage and provision them.
Usage Scenarios for Microsoft Entra join
Scenario 1: Businesses Largely in the Cloud
Microsoft Entra join (Microsoft Entra join) can benefit you if you currently operate and manage identities for your business in the cloud or are moving to the cloud soon. You can use an account that you have created in Microsoft Entra ID to sign into Windows. Through the first run experience (FRX) process, or by joining Microsoft Entra ID from the settings menu, your users can join their machines to Microsoft Entra ID. Your users can also enjoy single sign-on (SSO) access to cloud resources like Microsoft 365, either in their browsers or in Office applications.
Scenario 2: Educational Institutions
Educational institutions usually have two user types: faculty and students.
Faculty members are considered longer-term members of the organization. Creating on-premises accounts for them is desirable. But students are shorter-term members of the organization and their accounts can be managed in Microsoft Entra ID. This means that directory scale can be pushed to the cloud instead of being stored on-premises. It also means that students will be able to sign into Windows with their Microsoft Entra accounts and get access to Microsoft 365 resources in Office applications.
You may want to join devices to Microsoft Entra ID in these scenarios:
- If most applications and resources that you use are in the cloud. If you already use certain cloud services such as Microsoft 365 and you plan to move your other workloads to the cloud, you should join the client devices to Microsoft Entra ID to ensure ease of access and SSO for cloud-based services.
- If you want to separate temporary accounts. If you need to manage temporary accounts separately from your regular accounts, such as for contractors or seasonal workers, yet you still want to provide them with limited cloud-based services, you can create these accounts in Microsoft Entra ID and join the users' devices to Microsoft Entra ID.
- If you want to enable users to join their own devices to the organizational environment. If you support the Bring Your Own Device (BYOD) concept and you want to enable users to join their devices to your business environment, Microsoft Entra ID might be the right solution. This is particularly the case in situations where users are utilizing non-Microsoft devices such as iPads or Android tablets that cannot join an AD DS domain, but they can enroll in Intune and Microsoft Entra ID.
- You want to transition to cloud-based infrastructure using Microsoft Entra ID and an MDM such Intune.
- You have remote branch offices with limited on-premises infrastructure and wish to provide joining capabilities to workers.
Users can join Windows devices to Microsoft Entra ID during initial Windows setup or later by opening their system settings. In both instances, users need to type in their Microsoft Entra credentials and accept the management policies.
Keep in mind that you also need to prepare Microsoft Entra ID so that it can join a device. To do this, open the Azure portal, navigate to your Microsoft Entra instance, and then open Users and groups administration pane. You can configure options for joining a device in the Device settings section.
Microsoft Entra hybrid join
If you have an on-premises Active Directory environment and you want to join your domain-joined devices to Microsoft Entra ID, you can accomplish this by configuring Microsoft Entra hybrid joined devices. Microsoft Entra hybrid join supports a broad range of Windows devices. Because the configuration for devices running older versions of Windows requires additional or different steps, the supported devices are grouped into two categories:
Windows current devices
- Windows 10 or later
- Windows Server 2016 or later
Windows down-level devices
- Windows 8.1
- Windows Server 2012 R2
As a first planning step, you should review your environment and determine whether you need to support Windows down-level devices. Microsoft Workplace Join for non-Windows 10 computers, available on the Microsoft Download Center, must be installed for down-level devices.
You can't use a Microsoft Entra hybrid join if your environment consists of a single forest that synchronized identity data to more than one Microsoft Entra tenant.
Reasons to use Microsoft Entra hybrid join:
- You have Win32 apps deployed to these devices that rely on Active Directory machine authentication.
- You require Group Policy to manage some of your devices.
- You want to continue to use imaging solutions to configure devices for your employees.
Microsoft Entra hybrid join is a process to automatically register your on-premises domain-joined devices with Microsoft Entra ID. There are cases where you don't want all your devices to register automatically. If this is true for you, you should control the Microsoft Entra hybrid join of your devices.