Microsoft Entra ID is the identity and access management solution of Microsoft Azure. When working with users and their devices across the hybrid workforce, one of the key capabilities is Microsoft Azure AD join, now known as Microsoft Entra join, enabling cloud joined devices. It allows devices to become part of the Azure AD domain, providing seamless access to Azure resources. This AZ-104 guide focuses on Microsoft Entra Join, what it is, and how to configure it for the Microsoft Azure administrator.

Understanding Microsoft Entra Join

Microsoft Entra ID (formerly Azure Active Directory) is the modern cloud solution used to manage Azure identities. It can be managed from the Azure Portal, Azure CLI, or Azure PowerShell.

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

Microsoft Entra join connects an organization’s devices and Microsoft Entra, creating a computer object in the Entra ID devices without needing an on-prem domain controller, unlike the Microsoft Entra hybrid join (hybrid Azure AD joined). This is especially beneficial for organizations transitioning to or operating primarily on the cloud. The device then uses the Microsoft Entra ID authentication service.

Microsoft Entra Join (join Azure AD) enables a variety of scenarios, including:

  1. Transitioning to a cloud-centric infrastructure utilizing Microsoft Entra ID alongside Mobile Device Management (MDM) solutions like Intune, but may vary based on your Azure subscriptions.
  2. Addressing situations where an on-premises domain join isn’t viable, for instance, when aiming to manage mobile devices such as tablets and phones.
  3. Catering to users whose primary need is accessing Microsoft 365 or other Software as a Service (SaaS) applications integrated with Microsoft Entra ID or even Azure compute resources.
  4. Managing a specific user group within Microsoft Entra ID as opposed to Active Directory, a case often seen with seasonal employees, contractors, or students.
  5. Extending join capabilities to remote or home-based workers, especially in branch locations with minimal on-premises infrastructure.
  6. Using Azure Resource Manager templates – Join a Windows Server virtual machine to a Microsoft Entra Domain Services managed domain using a Resource Manager template.

Below is a general overview of the architecture of Microsoft Entra Join.

Download Banner

Microsoft Azure AD

Architecture of Entra Join

Benefits of Microsoft Entra Join

  • Single Sign-On (SSO): Users can access Azure services and resources effortlessly with a single set of credentials.
  • Access Control: Azure AD Join enables precise control over access to resources, ensuring only authorized users and devices can access sensitive information.
  • Self-Service Features: Users can independently manage their devices, reset passwords, or use other Azure AD features.

Operating systems required

You can perform Microsoft Entra Join on Windows 11 and Windows 10 operating systems. You can’t join Microsoft Windows 10 or 11 Home editions.

Single Sign-On with Microsoft Entra Join

Microsoft Entra joined devices allow users to log in just once (Single Sign-On or SSO) to access your tenant’s cloud applications. If your setup includes an on-premises Active Directory Domain Services (AD DS), users can also enjoy this one-time login feature to access resources and applications dependent on the on-premises Active Directory Domain Services.

With a Microsoft Entra joined device, your users already have an SSO experience to the cloud apps in your environment. If your environment has Microsoft Entra ID and on-premises AD DS, you may want to expand SSO to your on-premises Line Of Business (LOB) apps, file shares, and printers.

Microsoft Entra joined devices have no knowledge about your on-premises AD DS environment because they aren’t joined to it. However, you can provide additional information about your on-premises AD to these devices with Microsoft Entra Connect.

Microsoft Entra Connect or Microsoft Entra Connect cloud sync synchronizes your on-premises identity information to the cloud. As part of the synchronization process, on-premises user and domain information is synchronized to Microsoft Entra ID.

When a user signs in to a Microsoft Entra joined device in a hybrid environment: Microsoft Entra ID sends the details of the user’s on-premises domain back to the device, along with the Primary Refresh Token The local security authority (LSA) service enables Kerberos and NTLM authentication on the device.

Getting Started with Azure AD Join

Device Registration

Before a device can be joined to Azure AD, it must be registered. The device registration process involves a few steps:

  1. Sign in to the Azure portal.
  2. Navigate to Microsoft Entra ID > Devices > Device settings.
  3. Configure device options as per organizational requirements.

Microsoft Azure AD

Configuring Entra join and registration settings

Joining a Device to Azure AD

Joining a device to Azure AD is a straightforward process. Here’s a simplified walk-through:

  1. On the device, go to Settings > Accounts > Access work or school > Connect.
  2. Select “Join this device to Azure Active Directory” and follow the prompts to complete the process.

Microsoft Azure AD

Access work or school accounts

Click the Connect button.

Microsoft Azure AD

Connecting to a work or school account

Hybrid Azure AD Join

A Hybrid Azure AD Join is a common scenario for organizations with a mix of on-prem and cloud infrastructures. It allows devices already joined to an on-premises Active Directory domain to be joined to Azure AD.

Microsoft Azure AD

Architecture of Entra hybrid-joined devices

Configuring Hybrid Azure AD Join

Configuration involves several steps, including configuring federation with Azure AD, updating the Azure AD Connect, and verifying the hybrid Azure AD join configuration.

Azure AD Join vs Azure AD Hybrid Join

Understanding the difference between Azure AD Join and Hybrid Azure AD Join is critical for Azure administrators. While Azure AD Join is a great configuration for cloud-centric organizations, Hybrid Azure AD Join is for those with existing on-prem infrastructure looking to extend their domain capabilities to the cloud, but still use Active Directory Domain Services on-premises.

Wrapping up

You will want to understand the Microsoft Entra join process for the AZ-104 exam, its benefits, and its implementation. Also, understand the difference between the Microsoft Entra join and hybrid joined devices. Overall, it opens up many great capabilities for modern device management.

Read More:

Microsoft Azure Administrator: AZ-104: Microsoft Entra Self Service Password Reset – Part 7

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Rate this post