Systems

Different Azure AD Join Types

It can take some research and tests to understand the difference between different Azure AD join types.

I summarised some key differences in the following.

Difference betweenAzure AD registeredAzure AD joinedHybrid Azure AD joined
Primary audience        Bring your own device (BYOD) Mobile devicesOrganizational computerOrganizational computer
OSWindows 10, iOS, Android, and MacOSWindows 10 devices (except Windows 10 Home) Windows Server 2019 Virtual Machines running in Azure (except Server core)Windows 10, 8.1 and 7 Windows Server 2008/R2, 2012/R2, 2016 and 2019
Device sign in optionsLocal account Windows HelloOrganizational account in Azure AD Windows Hello for BusinessOrganizational account in on-prem AD Windows Hello for Business
Sign in authenticate toLocal computerAzure ADOn-prem domain controller
Device managementMDM (Intune)MDM (Intune)MDM (Intune) Group policy
SSOSSO to cloud resourcesSSO to both cloud and on-premises resourcesSSO to both cloud and on-premises resources
Self-service Password ResetOnly for local accountFor Organizational account at login/lock screenFor Organizational account at login/lock screen

As more and more staff work from home, IT starts to consider solutions to allow remote identity management without relying line-of-sight to domain controllers. so:

  • If you want to login to a computer by authenticating to Azure AD, you will need to unbind the computer from on-prem AD then bind to Azure AD. A hybrid Azure AD joined computer will still authenticate to your domain controller

Leave a Reply