Forum Discussion

lfk73's avatar
lfk73
Brass Contributor
Jun 19, 2025

Azure AD Join (Entra Join) vs Hybrid Azure AD Join vs Azure AD Registration (Workplace Join)

I still find it hard to understand the differences between Azure AD Join (Entra Join) vs Hybrid Azure AD Join vs Azure AD Registration (Workplace Join).   I know Azure AD Registration (Workplace Jo...
Azure AD
Endpoint Management
Identity
security
Yasemin's avatar
Yasemin
Brass Contributor
Jun 19, 2025

Entra ID registered allows SSO > less sign-ins > less interruptions. 

You have a set of granular options for fine-tuning access to certain services. With Conditional Access you can specify under which conditions, from which location / IP ranges, users can access these services, and if for example some services can only be signed-in to from a device that is marked as compliant. Requiring the device to be marked as compliant, also requires the device to be enrolled in Intune. In Intune you could decide not to allow personally owned devices, requiring the device to be Entra joined. Then there's settings in Entra ID where you can decide under which circumstances a device can be joined. There's a lot of possibilities to design this. Depends on your needs and infrastructure. 

That's authentication. For authorization you have tools like Entra ID Governance. For data leakage BYOD concerns there's MAM for Windows. 

For on-premise resources that require authentication with AD, you would need an account in AD to sign-in to it of course. And designing a solution for this is also highly dependent on your environment and each on-premise resource. There's federation with ADFS (no EOL announced but not recommendable), Cloud Kerberos Trust with Windows Hello for Business or FIDO2 and of course SSO which requires line of sight network wise and user's attributes synced via Entra Connect or Cloud Sync: https://learn.microsoft.com/en-us/entra/identity/devices/device-sso-to-on-premises-resources

For "a billion random machines in your Entra" you have the option to set the max amount of devices each user can register. Generally speaking you have IT putting security policies in place and thinking ahead as much as possible for risks and then you have free roaming users who want to work but not wait on IT for each mouse click. Every sensitive file can end up anywhere if you think about it long enough. But with modern features for monitoring, alerts, rules, automations etc. and tools like sensitivity labels you have a wide variety to minimize the burden on IT staff and at the same time making your environment maybe even more secure than it was before. 

Resources