Forum Discussion

Matt-CP's avatar
Matt-CP
Copper Contributor
Mar 28, 2024

Additional Microsoft 365 users not showing as registered users on an Entra ID joined device.

Most of our clients are on M365 these days, and they consist of the following variations in how they integrate:

  1. On-prem AD with no Entra ID sync to M365.
  2. On-prem AD with Entra ID sync to M365 but no hybrid connection for devices.
  3. On-prem AD with Entra ID sync and hybrid connection for devices with Intune.
  4. No on-prem AD with all devices connected directly to Entra ID and Intune.

For clients using integration methods 1 and 2, we always see multiple device registrations in Entra ID, and for clients using integration method 3, we see a primary user that was used to hybrid join the device, along with additional users showing up as registered in Entra ID.

 

However, we have just recently discovered that clients that use method 4, i.e. they are 100% Entra ID with no on-prem AD, the only user that shows in Entra ID is the user that joined the device. Any other use that logs in and creates a profile on one of these machines is not recorded as a registered user in Entra ID for that device.

 

So, for clients that use integration methods 1-3, if we want to remotely block access on a particular device for a specific user, we just need to delete their Entra ID registration for that device. However, for clients using method 4, we have no visibility for the additional user, nor can we remotely block a user in this scenario.

 

Is this behaviour a current bug in the Entra ID join/register process? Or is this the expected behaviour? If the latter, then this seems to be a flaw in the join/register process.

  • futureworkplace's avatar
    futureworkplace
    Copper Contributor
    No bug as far I can tell you. The behavior you described seems to be a result of how Azure AD device registration and user authentication work within the Microsoft 365 environment. You must prepare the architecture in order to avoid those unwanted scenarios in fact.
  • Matt-CP 

     

    What is your authentication flow design so far? I believe IAM still keeps in AD DS, better search a keyword Cloud posture for your AD journey

  • KingsleyU's avatar
    KingsleyU
    Brass Contributor

    Matt-CP 

     

    In what you have described, if the user did create a user account profile with their credential, authentication is only possible in Microsoft Entra, so in that way their device should be registered. Otherwise perhaps the user only signed into their account from the browser. The following article should provide more information for how it works.

     

    https://support.microsoft.com/en-us/windows/manage-user-accounts-in-windows-104dc19f-6430-4b49-6a2b-e4dbd1dcdf32

     

    I hope you have been able to resolve your issues now or before reading this, otherwise, feel free to reply.

     

    Thanks