• Different Azure AD Join Types

    It can take some research and tests to understand the difference between different Azure AD join types.

    I summarised some key differences in the following.

    Difference betweenAzure AD registeredAzure AD joinedHybrid Azure AD joined
    Primary audience        Bring your own device (BYOD) Mobile devicesOrganizational computerOrganizational computer
    OSWindows 10, iOS, Android, and MacOSWindows 10 devices (except Windows 10 Home) Windows Server 2019 Virtual Machines running in Azure (except Server core)Windows 10, 8.1 and 7 Windows Server 2008/R2, 2012/R2, 2016 and 2019
    Device sign in optionsLocal account Windows HelloOrganizational account in Azure AD Windows Hello for BusinessOrganizational account in on-prem AD Windows Hello for Business
    Sign in authenticate toLocal computerAzure ADOn-prem domain controller
    Device managementMDM (Intune)MDM (Intune)MDM (Intune) and Group policy
    SSOSSO to cloud resourcesSSO to both cloud and on-premises resourcesSSO to both cloud and on-premises resources
    Self-service Password ResetOnly for local accountFor Organizational account at login/lock screenFor Organizational account at login/lock screen

    As more and more staff work from home, IT starts to consider solutions to allow remote identity management without relying on line-of-sight to domain controllers. so:

    • If you want to login to a computer by authenticating to Azure AD, you will need to unbind the computer from on-prem AD then bind to Azure AD. A hybrid Azure AD joined computer will still authenticate to your domain controller
    • Microsoft recommends to use the MDM-only approach to manage all Azure AD joined devices, instead of co-management with SCCM.