Azure AD Registered vs. Azure AD Joined
-
As I go through the devices section of AZ-104, it seems clear what registered and joined devices are. In practice it is not as clear. Our network for example has local AD, and is synced to 365. All the devices, whether somebody's personal phone or a local AD-joined computer are appearing as Azure AD Registered. There is not one Azure AD Joined or Hybrid Azure AD Joined device. Can anyone explain this?
-
You should be able to see a devices join type in the Azure portal. Navigate to Azure Active Directory > Devices > All Devices. There should be a column for Join Type. If not, you can select columns from the top menu and add the Join Type column.
Registered devices are registered to Azure AD without requiring organizational account to sign in to the device. You can manage the device using MDM or MAM, Access to organizational resources will require an Azure AD account.
Local AD-joined devices will show up as Hybrid Azure AD joined. These are devices are registered with Azure AD. They require an organizational account to sign in to the device. You can manage these devices with Group Policy, Configuration Manager or co-management with Intune.
-
Thanks for your reply. What I am seeing is that local AD-joined devices are showing up as registered even though an AD account is required to sign in to most of the devices. Being off-network, the credentials are of course cached. Here is a representative screenshot. In our case, all devices, phone or computer, are appearing as registered and we have no "joined" devices like I think we should.
-
I might have found the cause for this. Our domain registered with Azure is an .org domain, but our local AD uses a .local domain. To get the user accounts to sync, we setup an alternate UPN in local AD using that .org name. As far as I know, the alternate UPN does not apply to computers, and the computers would not be synced to Azure. Might that explain why all devices are registered and not joined?