Most of our clients are on M365 these days, and they consist of the following variations in how they integrate:
- On-prem AD with no Entra ID sync to M365.
- On-prem AD with Entra ID sync to M365 but no hybrid connection for devices.
- On-prem AD with Entra ID sync and hybrid connection for devices with Intune.
- No on-prem AD with all devices connected directly to Entra ID and Intune.
For clients using integration methods 1 and 2, we always see multiple device registrations in Entra ID, and for clients using integration method 3, we see a primary user that was used to hybrid join the device, along with additional users showing up as registered in Entra ID.
However, we have just recently discovered that clients that use method 4, i.e. they are 100% Entra ID with no on-prem AD, the only user that shows in Entra ID is the user that joined the device. Any other use that logs in and creates a profile on one of these machines is not recorded as a registered user in Entra ID for that device.
So, for clients that use integration methods 1-3, if we want to remotely block access on a particular device for a specific user, we just need to delete their Entra ID registration for that device. However, for clients using method 4, we have no visibility for the additional user, nor can we remotely block a user in this scenario.
Is this behaviour a current bug in the Entra ID join/register process? Or is this the expected behaviour? If the latter, then this seems to be a flaw in the join/register process.
