Different Azure AD Join Types
It can take some research and tests to understand the difference between different Azure AD join types.
I summarised some key differences in the following.
| Difference between | Azure AD registered | Azure AD joined | Hybrid Azure AD joined |
| Primary audience | Bring your own device (BYOD) Mobile devices | Organizational computer | Organizational computer |
| OS | Windows 10, iOS, Android, and MacOS | Windows 10 devices (except Windows 10 Home) Windows Server 2019 Virtual Machines running in Azure (except Server core) | Windows 10, 8.1 and 7 Windows Server 2008/R2, 2012/R2, 2016 and 2019 |
| Device sign in options | Local account Windows Hello | Organizational account in Azure AD Windows Hello for Business | Organizational account in on-prem AD Windows Hello for Business |
| Sign in authenticate to | Local computer | Azure AD | On-prem domain controller |
| Device management | MDM (Intune) | MDM (Intune) | MDM (Intune) and Group policy |
| SSO | SSO to cloud resources | SSO to both cloud and on-premises resources | SSO to both cloud and on-premises resources |
| Self-service Password Reset | Only for local account | For Organizational account at login/lock screen | For Organizational account at login/lock screen |
As more and more staff work from home, IT starts to consider solutions to allow remote identity management without relying on line-of-sight to domain controllers. so:
- If you want to login to a computer by authenticating to Azure AD, you will need to unbind the computer from on-prem AD then bind to Azure AD. A hybrid Azure AD joined computer will still authenticate to your domain controller
- Microsoft recommends to use the MDM-only approach to manage all Azure AD joined devices, instead of co-management with SCCM.