Configure Microsoft Entra Join – Manage Azure identities and governance – AZ-104 Study Guide

Configure Microsoft Entra Join

Also, registration of devices in Entra can be combined with a mobile device management solution, such as Microsoft Intune, Microsoft Endpoint Configuration Manager, Mobile Appli- cation Management (MAM), and Group Policy if it is hybrid joined. This allows for additional device attributes—such as device operating system version and device state (including whether the device is rooted or jailbroken)—to be tracked in Entra ID. Those attributes can then be used to build and enforce conditional access policies, which can further secure corporate data.

To configure device registration in Entra ID, choose Devices, Device Settings. On the Device Settings blade, you can set the configuration for an entire Entra ID tenant, as seen in Figure 1-12.

FIGURE 1-12 Configure device registration settings

On this blade, you can configure the following settings:

  • Users May Join Devices To Microsoft Entra Use this setting to select the users and groups that can join devices to Entra. This setting only applies to Entra Join on Windows 10 or Windows 11 devices. The default value is All and can be changed to Selected or None.
  • Additional Local Administrators On Microsoft Entra Joined Devices With Entra ID Premium or with the Enterprise Mobility + Security suite, you can choose which users are granted Local Administrator rights to the device. Global Administrators and the device owner are granted Local Administrator rights by default. The default value is None and can be changed to Selected. If the value is set to Selected, any users added here are also added to the Device Administrators role in Entra ID.
  • Users May Register Their Devices with Microsoft Entra Allow users to register their devices with Microsoft Entra (Workplace Join). Enrollment with Microsoft Intune or Mobile Device Management for Office 365 requires device registration. If you have configured either of these services, All will be selected, and the button associated with the setting will be disabled.
  • Require Multifactor Auth To Join Devices Multifactor authentication (MFA) is recommended when adding devices to Entra. When set to Yes, users who are adding devices from the internet must first use a second method of authentication. Prior to enabling this setting, you must ensure that multifactor authentication is configured for the users who are able to register devices and that those users have set up MFA.
  • Maximum Number Of Devices Per User This setting designates the maximum number of devices that an individual user can have in Entra ID. If the quota is reached, the user will not be able to add a device until one of their existing devices is removed. Valid values for this setting are 5, 10, 20, 50, 100, and Unlimited.

After the directory has been configured, you can begin registering devices. For Entra Join, there are several requirements for devices, including Windows versions. The requirements for Windows versions are driven by the type of Entra Join: hybrid or non-hybrid. Non-hybrid Entra Join is applicable to devices that are not joined to an on-premises Active Directory, whereas hybrid Entra Join is applicable to devices that are joined to an on-premises directory. For hybrid Entra Join, an IT administrator must perform the join to Entra ID.

For non-hybrid Entra Join, Windows 10 and Windows 11 Professional as well as Windows 10 and Windows 11 Enterprise devices can be joined to a directory. For hybrid Entra Join scenarios, you can join current Windows devices, such as Windows 11 and Windows Server 2016. Also, there is support for a hybrid join with down-level devices, including Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.