Forum Discussion
Azure AD Join (Entra Join) vs Hybrid Azure AD Join vs Azure AD Registration (Workplace Join)
I still find it hard to understand the differences between Azure AD Join (Entra Join) vs Hybrid Azure AD Join vs Azure AD Registration (Workplace Join).
I know Azure AD Registration (Workplace Join) is supposed to be nest for Personal devices (BYOD) but if you have security as an important part of your business why would you want to allow this? You could end up with a billion random machines in your Entra. What's the benefit of this?
Also, if I have a Hybrid environment and I have booth cloud and on prem apps that do auth via both on prem (for on prem apps linked to AD) and Entra for cloud do I need to be Hybrid Azure AD Joined to support on prem an cloud? Or will a person working from a Azure AD Joined machine still be able to access on prem resources like file servers and any app that uses AD groups for auth, access provisioning etc?
1 Reply
Hi lfk73 , check this
Azure AD Registration (Workplace Join) — for BYOD
Security Concerns: Why allow this?
You're right — letting users register their personal laptops or phones can open the door to unmanaged, potentially insecure endpoints.
Why organizations might still use it:
- Access from anywhere: Users might need access to web-based resources (like Outlook or SharePoint) from their personal devices.
- Conditional Access: You can enforce MFA, device compliance, limited access (e.g., no downloads) even on these registered devices.
- Self-service password reset, SSO, and device-based Conditional Access become available.
How to manage security:
- Use Conditional Access to restrict what registered devices can access (e.g., block access to sensitive apps).
- Use Microsoft Defender for Endpoint to detect risky behavior.
- Use compliance policies (e.g., block jailbroken phones, require PINs).
If you're strict on device control, you can disable self-registration and require only joined (not just registered) devices.
Hybrid Azure AD Join — for hybrid environments
Used when:
- Devices are joined to on-prem AD for legacy apps/file shares.
- You also want them visible and manageable in Entra ID for cloud apps.
Use Case:
- Authenticate to on-prem resources with Kerberos/NTLM.
- Use cloud features (SSO to M365, Conditional Access, etc.)
It’s the default for enterprises with existing AD environments.
Azure AD Join (Entra Join) — Cloud-native devices
Used when:
- You have cloud-first devices (e.g., autopilot-deployed Windows 11 laptops).
- Users sign in using Entra credentials only — no on-prem domain join.
What about access to on-prem resources?
- By default, Azure AD Joined devices can't directly access:
- File shares
- Print servers
- Apps using Kerberos/NTLM or AD-integrated security
Unless you:
- Have line-of-sight to a domain controller (via VPN).
- Use Azure AD Kerberos (newish feature) for things like Windows Hello or file shares.
- Implement Hybrid Identity tools like Azure AD App Proxy for legacy app publishing.
So if your users need access to both on-prem and cloud resources, and your infra is not fully cloud-migrated yet:
Hybrid Azure AD Join is usually required.
TL;DR – Which to use when?
Scenario
Recommended Join Type
Corporate devices, cloud-first
Azure AD Join
Corporate devices, on-prem + cloud
Hybrid Azure AD Join
BYOD (phones/laptops), limited access
Azure AD Registration
Want strict device control
Disable Azure AD Registration
Final Guidance
- Don’t allow Azure AD Registration freely unless you layer in strong Conditional Access policies.
- If you need both on-prem and cloud app access, Hybrid Azure AD Join is your best bet.
- If moving toward full cloud-native infra, Entra Join (Azure AD Join) is the future — but legacy app support must be addressed.
