Brandon Lee
Cloud and Virtualization Architect. Brandon has over 20 years of experience across multiple sectors. He is responsible for the creative and technical content direction at virtualizationhowto.com
Cloud and Virtualization Architect. Brandon has over 20 years of experience across multiple sectors. He is responsible for the creative and technical content direction at virtualizationhowto.com
Many organizations are transitioning to a hybrid approach to managing their infrastructure. A large number of enterprise organizations are migrating their collaboration, communication, and productivity solutions to Microsoft 365, as many already have a strong relationship and familiarity with Microsoft products and solutions.
Admins can now manage remote hybrid devices with Microsoft Entra. Microsoft Entra joined devices provide many benefits. Let’s look at Entra joined and Entra hybrid joined devices, what they are, and how they differ from Entra registered devices.
Five states of cloud transformation
To understand how Entra and Entra hybrid devices fit into a cloud migration, let’s better understand the states of cloud transformation according to Microsoft. They outline five states of transformation for a modern cloud posture. This cloud transformation generally involves familiar technologies such as Active Directory and Microsoft Entra ID.
Different organizations may have different goals altogether. Some may want to remove Active Directory entirely. Others may leave Active Directory in place to service legacy applications that will transition to end-of-life at the appropriate time.
Note the following five states as outlined by Microsoft:
- Cloud attached: Cloud-attached organizations integrate their on-premises systems with Microsoft Entra and maintain both environments. This is where things generally start with a cloud transformation. It requires dual expertise and potentially higher operational costs. Devices and users are managed through Active Directory and synchronized with cloud services. It supports tools like Microsoft 365 and Active Directory Federation Services for app authentication.
- Hybrid: Hybrid Organizations enhance their on-premises systems with cloud capabilities. This action helps to increase security and reduce complexity. It also helps to transition toward using Microsoft Entra ID for identity and access management (IAM). This state features hybrid joined Windows clients, integration of SaaS platforms like Salesforce with Microsoft Entra ID, and features like self-service password reset and Application Proxy for legacy app authentication.
- Cloud First: In the cloud-first approach, organizations focus on shifting workloads to Microsoft Entra ID. New Windows clients are cloud-joined and managed via Intune, and federated identity management is migrated to Microsoft Entra ID. This means transitioning traditional file and print services to the cloud and enabling B2B collaborations through Microsoft Entra ID.
- Active Directory Minimized: Active Directory Minimized Organizations minimize Active Directory use by provisioning new users directly in Microsoft Entra ID. This action replaces on-premises workloads with cloud alternatives like Azure Files and Universal Print. This state also means organizations will replace legacy applications that depend on Active Directory to reduce on-premises technical debt.
- 100% Cloud: 100% Cloud is a fully cloud-centric state. All IAM tasks are managed through Microsoft Entra ID and Azure tools, with no on-premises IAM footprint. All devices and user identities are managed cloud-natively. All network services that rely on Active Directory are transitioned to cloud solutions.
Microsoft cloud transoformation states
Learn more about the five cloud transformation states here: Cloud transformation posture.
Let’s look at two types of device joins, Entra and Entra hybrid, used to accommodate various states of modern cloud transformations using Microsoft technologies.
What is a Microsoft Entra-joined device?
Let’s first understand an Entra joined device. When you join a device to Microsoft Entra, it can be in the cloud or on-premises.
You may have heard the term “Entra registered” device. Is a “joined” and “registered” device the same thing? Let’s understand the difference. When you register a device, it can be logged in without an organization account. However, when you Entra join a device, it requires an organizational account for login.
There are other characteristics of a “joined” device. These include the following:
- They can be used for cloud-only or hybrid environments
- You can use either Windows 10 or Windows 11 for Entra join
- You cannot use Home editions of either Windows 10 or Windows 11
- Joined devices can be provisioned with self-service, bulk enrollment, or Autopilot.
- These can be managed using Microsoft Intune, Configuration Manager standalone or co-management with Intune
- Entra joined device enables single sign-on SSO capabilities for on-premises and cloud resources
Below is a look at joining a device to Microsoft Entra during the initial setup of a new device:
Joining a Windows device to Microsoft Entra
You can learn more about Microsoft Entra joined devices here: What is a Microsoft Entra joined device? – Microsoft Entra ID | Microsoft Learn.
When do you use Microsoft Entra join?
Microsoft Entra joined devices help to simplify many different types of challenges in the hybrid enterprise environment. It helps ease Windows deployments, including for work-owned devices and allows access to apps and resources from any Windows device.
You can also take advantage of cloud-based device management using Microsoft Intune. Many organizations are pivoting to this type of management, with the hybrid work initiatives common across enterprise environments today. Users can also sign in to the Entra joined devices with their Microsoft Entra ID, which can be synced from Active Directory on-premises.
Like any solution or technology, there are various situations and scenarios where joining devices to Microsoft Entra ID makes a lot of sense. Note the following situations where you can use Microsoft Entra join:
- Transitioning to the cloud and using cloud-based MDM solutions like Intune
- If an on-premises domain join is not possible, such as with tablets
- Users mainly use Microsoft 365 or SaaS apps
- If you have a group of users that need to be managed and you want to do this using Microsoft Entra ID instead of Active Directory
- You want to allow “joining” devices to workers who are working remotely, such as in a remote branch office or from home.
What about Microsoft Entra hybrid joined devices?
So far, we have discussed native Entra joined devices. However, Microsoft Entra hybrid join can also join devices that are joined to on-premises Active Directory Domain Services (AD DS) but are registered with Azure AD. When devices are hybrid-joined, they can take advantage of Azure AD and Active Directory.
Hybrid joined login
Organizations that want to take advantage of hybrid joined devices need to set up an Azure AD Connect instance for Microsoft Entra hybrid join.
Azure AD Connect
They also configure a group policy object that auto-enrolls Active Directory joined devices into Azure AD (Microsoft Entra). The device uses a Service Connection Point (SCP) configured in Azure AD Connect to find the tenant information for Microsoft Entra.
Learn more about Microsoft Entra hybrid joined devices here: What is a Microsoft Entra hybrid joined device? – Microsoft Entra ID | Microsoft Learn.
When to use Hybrid Microsoft Entra joined vs Entra joined
There are a few things that we need to keep in mind when looking at hybrid Azure AD join vs Entra joined devices and how you use these during the different stages of your cloud transformation. These include the following:
- Hybrid Azure AD join extends the AD model and registers devices in Microsoft Entra
- The hybrid Azure AD join is a great model for existing devices that have joined traditional Active Directory Domain Services environments.
- If PCs or devices are new, using the Entra joined approach is recommended since it allows for taking advantage of all the cloud-centric management solutions.
- Entra-joined devices don’t connect to the SYSVOL share on traditional domain controllers.
- Microsoft has been working on bringing over the settings from GPOs to the cloud-based MDM. While not all Group Policy objects have been moved over, many organizations find the core policies they use on-premises are available in the cloud.
- Autopilot is possible with both the Entra joined and hybrid joined devices.
- Even though Autopilot is available for hybrid joined devices, it has many more complexities than native Entra joined devices using Autopilot.
Should Entra hybrid joined devices be a long-term goal?
Organizations should keep in mind that Entra hybrid-joined devices should not be a long-term goal for their environment. It simply provides a way to have co-existence with traditional Active Directory and Microsoft Entra. However, when organizations are not restricted or limited by technical or regulatory reasons, the goal should be moving or planning on moving to Microsoft Entra joined for your Windows endpoints.
Wrapping up
There is no question that organizations today are in different stages of their cloud transformation. During a cloud transformation using Microsoft technologies, Microsoft provides the tools needed for a cloud-centric approach to device management. Microsoft Entra join, and Entra hybrid join are two different types of cloud management that benefit organizations in the modern hybrid enterprise. However, per Microsoft’s best practice, Entra hybrid join is not a long-term goal. Instead, organizations should look to a cloud first or a 100% cloud approach for IAM in the future.
