Event details
Microsoftstdcsb There are a number of reasons where Entra-joined is better than hybrid-joining a device. Mainly, the device works anywhere there is an internet connection: whether in the office or out of the office, and you can enable Conditional Access, MFA, and other Zero Trust principles even without relying on an on-prem infrastructure.
To your question on what are the known issues with Hybrid-joining during Autopilot that make us recommend Entra-joined instead, there's only one main issue and that's the VPN configurations necessary to enable Hybrid-joining during Autopilot. But the reason for our recommendation isn't so much an Autopilot reason but more of a 'moving from hybrid joined to Entra-joined requires a device reset' and since Autopilot is provisioning a brand-new or resetting an existing device, this is the perfect place to take advantage of the new device being Entra-joined. And once it's Entra-joined, then you get the other benefits, such as those I listed above.
MicrosoftAlso check out Success with remote Windows Autopilot and hybrid Azure Active Directory join | Microsoft Community Hub. This is an older blog post I wrote and although it's called "Success with", the bottom-line message is that there are known friction points that will increase your deployment effort, your cost of implementation, and long run pain in general. We've heard from many customers over the years that they wish they would have simply skipped hybrid join and instead applied the effort and costs to the long-term solution of Entra join in the first place. Every customer and scenario is different ultimately so this may not be the correct answer for your org, but factoring in the additional costs and effort should be done. If you feel you must implement hybrid-join for any reason, we strongly suggest you stick with a legacy provisioning process like ConfigMgr OSD.