Azure AD Join (Entra Join) vs Hybrid Azure AD Join vs Azure AD Registration (Workplace Join)

As far as I know, you can't really prevent someone from registering their device in Entra but you can control what data they can use. A device registration happens automatically, when a user adds their work account under work & school in the windows settings. That in it self isn't a theat because you can still control what data the user can access on which device using conditional access. Just ensure that the users can't enroll their private devices in Intune through automatic enrollment, that will cause you real headaches down the line.

If you're still tied to your local active directory I don't recommend going for Entra ID Join only. Using Hybrid Join is the way to go in this scenario. With hybrid join, users login to their device using their AD Identity but they still have their work & school account linked and can use SSO both on-prem and in M365.

If you have any further questions let me know :)