It can take some research and tests to understand the difference between different Azure AD join types.
I summarised some key differences in the following.
|Difference between||Azure AD registered||Azure AD joined||Hybrid Azure AD joined|
|Primary audience||Bring your own device (BYOD) Mobile devices||Organizational computer||Organizational computer|
|OS||Windows 10, iOS, Android, and MacOS||Windows 10 devices (except Windows 10 Home) Windows Server 2019 Virtual Machines running in Azure (except Server core)||Windows 10, 8.1 and 7 Windows Server 2008/R2, 2012/R2, 2016 and 2019|
|Device sign in options||Local account Windows Hello||Organizational account in Azure AD Windows Hello for Business||Organizational account in on-prem AD Windows Hello for Business|
|Sign in authenticate to||Local computer||Azure AD||On-prem domain controller|
|Device management||MDM (Intune)||MDM (Intune)||MDM (Intune) and Group policy|
|SSO||SSO to cloud resources||SSO to both cloud and on-premises resources||SSO to both cloud and on-premises resources|
|Self-service Password Reset||Only for local account||For Organizational account at login/lock screen||For Organizational account at login/lock screen|
As more and more staff work from home, IT starts to consider solutions to allow remote identity management without relying on line-of-sight to domain controllers. so:
- If you want to login to a computer by authenticating to Azure AD, you will need to unbind the computer from on-prem AD then bind to Azure AD. A hybrid Azure AD joined computer will still authenticate to your domain controller
- Microsoft recommends to use the MDM-only approach to manage all Azure AD joined devices, instead of co-management with SCCM.