This chapter covers three device identity models in Microsoft 365: Azure AD Join, Hybrid Azure AD Join, and Workplace Join (Azure AD Registered). Understanding these is critical for the MS-900 exam, particularly in domain 3.3 (Identity and Access Management). Approximately 10-15% of exam questions touch on device identity and join types. You will need to distinguish the scenarios, requirements, and capabilities of each model to choose the correct one for a given business need. This chapter provides a deep dive into the mechanisms, configuration, and exam traps.
Jump to a section
Imagine a hotel with three types of key access. Azure AD Join is like a hotel key that is issued directly by the hotel's central system and works only for doors that are connected to that system. The key is created and managed by the hotel, and it can open your room, the gym, and the pool—all of which are managed by the same central system. There is no separate local lock; the key is the only credential. Hybrid Azure AD Join is like a corporate key card that works both for the hotel (Azure AD) and for your company's office building (on-premises AD). The card is issued by your company's security office, which syncs with the hotel's system. When you swipe at the hotel, the hotel checks with the company's server to verify you. The card can also open your office door directly without internet, because the office door has a local database. Workplace Join (Azure AD Registered) is like a day pass you get at the front desk. It gives you limited access—maybe the pool and the restaurant—but not your room or the gym. The pass is tied to your phone number (user identity) and is only valid for the duration of your stay. It doesn't require any pre-existing relationship with the hotel. In technical terms: Azure AD Join creates a device identity in Azure AD with full management via MDM. Hybrid Azure AD Join extends that to devices already joined to on-premises AD, enabling SSO to cloud and on-prem resources. Workplace Join just registers a personal device for limited access to organizational resources, typically via browser or app.
What Are Device Identity Models?
Device identity models in Microsoft 365 define how devices are associated with Azure AD and how they are managed. There are three primary models: Azure AD Join, Hybrid Azure AD Join, and Workplace Join (also called Azure AD Registered). Each serves a different purpose and has different requirements, capabilities, and use cases. The exam expects you to know which model to recommend based on device ownership, management requirements, and existing infrastructure.
Why Device Identity Matters
Device identity enables conditional access policies that consider device state (compliant, domain-joined, etc.). It also enables single sign-on (SSO) to cloud and on-premises resources, self-service password reset (SSPR) on the lock screen, and seamless access to company resources. Without device identity, every access request is based solely on user identity, which is less secure.
Azure AD Join
Azure AD Join is a cloud-first identity model where devices are joined directly to Azure AD without any dependency on on-premises Active Directory. This is designed for organizations that are fully cloud-based or are transitioning away from on-premises AD. The device gets a device identity in Azure AD, and management is done via MDM (e.g., Microsoft Intune) or other cloud management tools.
How it works internally: - During the join process, the device registers itself with Azure AD using the Device Registration Service (DRS). The device receives a device certificate (issued by Azure AD) that is used for authentication. The device object is created in Azure AD with a unique device ID. - The device can be joined during Windows OOBE (Out-of-Box Experience) or via Settings > Access Work or School. The user must have Azure AD credentials and appropriate permissions (typically the user can join up to 10 devices by default). - Once joined, the device gets a primary refresh token (PRT) that enables SSO to cloud resources. The PRT is stored in the Windows Credential Manager and is valid for 14 days by default, renewable while the device is connected to the internet. - The device can be managed via Intune if an MDM policy is configured. Compliance policies can be applied, and conditional access can require the device to be marked as compliant.
Key components, values, defaults: - Default maximum devices per user: 10 (can be changed in Azure AD settings). - PRT lifetime: 14 days (renewable). - Device registration uses TCP port 443 to login.microsoftonline.com. - The device object in Azure AD has a "join type" attribute set to "Azure AD joined".
Configuration and verification:
- To join a Windows 10/11 device: Settings > Accounts > Access Work or School > Connect > Join this device to Azure Active Directory.
- To verify: run dsregcmd /status on the device. Look for "AzureAdJoined : YES" and "DomainName : <tenant>.onmicrosoft.com".
- Also check in Azure AD portal: Azure Active Directory > Devices > All devices. The device should appear with Join Type = "Azure AD joined".
Hybrid Azure AD Join
Hybrid Azure AD Join is for organizations with existing on-premises Active Directory that want to extend device identity to Azure AD. Devices that are already domain-joined on-premises are registered with Azure AD, creating a device object in both on-premises AD and Azure AD. This enables SSO to both cloud and on-premises resources, and allows conditional access based on device compliance.
How it works internally: - The process uses Azure AD Connect to sync the on-premises device objects to Azure AD. The devices must be Windows 10/11 or Windows Server 2016+ (with some exceptions for older versions). - The device registration is triggered by a scheduled task on the device (created by a Group Policy or via Azure AD Connect). The device contacts the Device Registration Service (DRS) and presents its on-premises domain credentials. Azure AD then creates a device object linked to the on-premises device via the device ID. - The device gets a PRT similar to Azure AD Join, but the device remains fully managed by on-premises AD (Group Policy) and optionally by Intune (co-management). - The device object in Azure AD has a "join type" of "Hybrid Azure AD joined".
Key components, values, defaults: - Requires Azure AD Connect with device writeback enabled (for Windows 10/11 devices, writeback is not needed if using the new hybrid join flow via Azure AD Connect sync). - The scheduled task is named "Scheduled task created by Azure AD Join" and runs every 30 minutes by default. - The device must have line of sight to an on-premises domain controller for initial join, but after registration, it can work from anywhere with internet. - Supported on Windows 10/11, Windows Server 2016+, and down-level Windows 8.1/7 with certain updates.
Configuration and verification:
- Configure in Azure AD Connect: Select Device options > Configure Hybrid Azure AD join. Choose the appropriate OS version and proceed.
- Alternatively, use Group Policy to configure the scheduled task.
- To verify: On a domain-joined device, run dsregcmd /status. Look for "AzureAdJoined : YES" and "DomainName : <on-premises domain>" (not the tenant domain). Also check "Device Registration State" should be "Registered".
- In Azure AD portal: The device should show Join Type = "Hybrid Azure AD joined".
Workplace Join (Azure AD Registered)
Workplace Join, now called Azure AD Registered, is for personal devices (BYOD) that need limited access to organizational resources. The device is registered with Azure AD but is not joined to either on-premises AD or Azure AD. This provides a device identity for conditional access and SSO to cloud apps, but the device is not managed by the organization (unless MDM is enrolled voluntarily).
How it works internally: - The user adds a work or school account to the device via Settings > Accounts > Access Work or School > Connect. The device registers with Azure AD using the user's credentials. - The device gets a device certificate and a PRT, but the device object in Azure AD has a "join type" of "Azure AD registered". The device is not domain-joined and not managed by MDM unless the user enrolls in Intune. - The registration is per user; multiple users can register the same device with different accounts. - The device can be used for conditional access policies that require a registered device (e.g., require device to be marked as compliant or domain-joined—but registered alone is not enough for compliance unless enrolled in MDM).
Key components, values, defaults: - No on-premises infrastructure required. - Supported on Windows, iOS, Android, and macOS. - The device object in Azure AD has a "Join Type" of "Azure AD registered". - The PRT is still issued, but the device is not managed.
Configuration and verification:
- User can register by going to Settings > Accounts > Access Work or School > Connect and signing in with organizational credentials.
- To verify: Run dsregcmd /status. Look for "AzureAdJoined : NO" and "WorkplaceJoined : YES" (on older versions) or "Device Registration State : Registered" (on newer versions).
- In Azure AD portal: The device shows Join Type = "Azure AD registered".
How They Interact with Related Technologies
Conditional Access: Can target all three join types. For example, require compliant device for Azure AD joined, require hybrid Azure AD joined for access to on-prem apps, or require registered device for basic SSO.
Intune: Azure AD joined devices can be automatically enrolled in Intune via MDM auto-enrollment. Hybrid Azure AD joined devices can be co-managed with Intune and Configuration Manager. Azure AD registered devices can be enrolled voluntarily.
Windows Hello for Business: Can be deployed on Azure AD joined and Hybrid Azure AD joined devices. Not supported on Azure AD registered devices without additional configuration.
Self-Service Password Reset (SSPR): On Azure AD joined and Hybrid Azure AD joined devices, users can reset passwords from the lock screen. This is not available on registered devices.
Exam-Specific Details
The exam will ask you to choose the appropriate join type for a scenario. Remember: Azure AD Join = cloud-only, no on-prem AD. Hybrid Azure AD Join = existing on-prem AD, need to sync. Workplace Join = personal devices, BYOD.
Know the default device limit per user: 10 for Azure AD Join.
Know that Hybrid Azure AD Join requires Azure AD Connect (or seamless SSO with federation).
Know that Azure AD Registered does not require any on-prem infrastructure.
The exam may present a scenario where a user has a company-owned Windows 10 laptop that needs to be managed via Intune and also access on-prem file shares. The correct answer is Hybrid Azure AD Join (if on-prem AD exists) or Azure AD Join (if no on-prem AD, and on-prem resources are accessed via VPN or cloud proxies).
Common Misconfigurations
Attempting Hybrid Azure AD Join without Azure AD Connect properly configured.
Not enabling device writeback in Azure AD Connect for down-level devices.
Assuming that Azure AD Registered provides the same management capabilities as Azure AD Join.
Forgetting that Azure AD Join does not automatically grant access to on-premises resources; additional configuration (like VPN or Azure AD Application Proxy) is needed.
Initiate Device Registration
The device registration process begins when a user or system triggers the join. For Azure AD Join, this happens via Windows OOBE or Settings. The device sends an authentication request to Azure AD's Device Registration Service (DRS) at login.microsoftonline.com over HTTPS. The request includes the device's TPM (if available) to generate a cryptographic key pair. The user authenticates with Azure AD credentials. If the user is allowed to join devices (default: up to 10), Azure AD creates a device object in its directory and issues a device certificate. The certificate is stored in the local machine store and used for future authentication.
Create Device Object in Azure AD
Azure AD creates a device object with attributes such as device ID, display name, operating system, join type (e.g., Azure AD joined), and registration timestamp. The device object is also stamped with the user who joined it as the owner. This object is visible in the Azure AD portal under Devices. The device ID is a GUID that uniquely identifies the device. For Hybrid Azure AD Join, the device object is first created in on-premises AD and then synced to Azure AD via Azure AD Connect. The on-premises device object must have the appropriate attributes (ms-DS-CreatorSID, etc.) for the sync to work.
Obtain Primary Refresh Token
After successful registration, the device receives a Primary Refresh Token (PRT) from Azure AD. The PRT is a JSON Web Token (JWT) that contains claims about the user and device. It is stored in the Windows Credential Manager and is valid for 14 days by default. The PRT is used to obtain access tokens for cloud resources without requiring the user to re-authenticate. The device uses the PRT to request tokens from Azure AD's token endpoint. If the device is offline, the PRT can still be used for cached SSO for up to 14 days. The PRT is renewed automatically when the device connects to Azure AD and the user's session is still active.
Apply Management Policies
Once registered, the device can be managed via MDM (e.g., Intune) if auto-enrollment is configured. For Azure AD Join, the device is automatically enrolled in Intune if the user has an Intune license and the tenant is configured for MDM auto-enrollment. For Hybrid Azure AD Join, the device can be co-managed by Configuration Manager and Intune. Group Policy from on-premises AD still applies. For Azure AD Registered, management is optional; the user can choose to enroll in Intune. Compliance policies can then be applied, and conditional access can require the device to be marked as compliant. The device's compliance status is evaluated and reported to Azure AD.
Enable Single Sign-On and Conditional Access
With the device identity established and management policies applied, the device can now participate in SSO and conditional access. When a user accesses a cloud app, the device presents its PRT to Azure AD. Azure AD issues an access token that includes device claims. Conditional access policies evaluate these claims (e.g., require compliant device, require domain-joined). If the device is compliant and meets policy, access is granted. For on-premises resources, Hybrid Azure AD Join enables Kerberos ticket retrieval via Azure AD Connect or seamless SSO. The device can also use Windows Hello for Business if configured. The entire flow happens transparently to the user.
Scenario 1: Cloud-First Startup
A startup with 200 employees uses only cloud services (Microsoft 365, Salesforce, Slack). They have no on-premises Active Directory. All company-issued laptops are Windows 10. The IT team wants devices to be managed via Intune and enforce conditional access policies requiring compliant devices. They also want users to be able to reset passwords from the lock screen. The correct choice is Azure AD Join. During deployment, IT configures MDM auto-enrollment in Azure AD. When a new hire receives a laptop, they go through OOBE and join to Azure AD using their work credentials. The device is automatically enrolled in Intune, compliance policies are applied, and conditional access blocks non-compliant devices. Common issue: Users exceed the 10-device limit if they reimage frequently. IT must increase the limit or clean up stale devices.
Scenario 2: Large Enterprise with Existing On-Premises AD
A multinational corporation has 50,000 domain-joined Windows 10 devices managed by Group Policy and System Center Configuration Manager (SCCM). They are migrating to Microsoft 365 and want to enable conditional access based on device compliance while still managing devices via SCCM. They also need users to access on-premises file shares. The solution is Hybrid Azure AD Join. IT deploys Azure AD Connect with device sync. They configure a GPO to trigger the hybrid join scheduled task. Devices gradually become hybrid joined. IT then enables co-management in Intune for pilot groups. A common mistake is not enabling device writeback in Azure AD Connect, causing down-level Windows 8.1 devices to fail registration. Also, the scheduled task runs every 30 minutes, so registration may not be immediate. Performance considerations: The sync of 50,000 device objects can take hours; IT should stage the rollout.
Scenario 3: BYOD Program
A university allows faculty and students to access learning management systems and email from personal devices. The IT department wants to enforce multi-factor authentication and require device registration for access to sensitive data, but they do not want to manage personal devices. They choose Azure AD Registered (Workplace Join). Users add their work account to their personal Windows, iOS, or Android device. The device is registered but not managed. Conditional access policies require registered device and MFA. A problem arises when a user sells their device without removing the work account; the device remains registered. IT must implement a process to revoke device registration upon employee exit. Also, because devices are not managed, compliance policies cannot enforce encryption or antivirus. The university accepts this risk for BYOD.
What MS-900 Tests on This Topic
MS-900 objective 3.3 covers "Describe the capabilities of Azure AD," including device identity. Specifically, you need to differentiate between Azure AD Join, Hybrid Azure AD Join, and Azure AD Registered. The exam may ask you to recommend a join type for a given scenario. Common scenario variations: company-owned vs. personal devices, cloud-only vs. hybrid environments, management requirements (MDM vs. Group Policy), and access to on-premises resources.
Common Wrong Answers and Why Candidates Choose Them
Choosing Azure AD Join when the organization has on-premises AD and needs to use Group Policy. Candidates think Azure AD Join is always better because it's cloud-first, but they forget that Azure AD Join devices cannot apply on-premises Group Policy. Hybrid Azure AD Join is needed for that.
Choosing Workplace Join for company-owned devices that need full management. Candidates confuse "registered" with "managed." Workplace Join does not provide MDM enrollment unless the user voluntarily enrolls. For company-owned, fully managed devices, Azure AD Join or Hybrid Azure AD Join is correct.
Thinking Hybrid Azure AD Join requires Azure AD Premium. It does not; it works with Azure AD Free. However, conditional access policies may require Premium licenses.
Assuming all three join types support Windows Hello for Business. Only Azure AD Join and Hybrid Azure AD Join support it; Azure AD Registered does not.
Specific Numbers and Terms That Appear on the Exam
Default devices per user: 10 (Azure AD Join).
PRT lifetime: 14 days.
Hybrid Azure AD Join requires Azure AD Connect (or federation).
Azure AD Registered is for personal/BYOD devices.
The scheduled task for Hybrid Azure AD Join runs every 30 minutes.
Edge Cases and Exceptions the Exam Loves to Test
Down-level Windows devices: Windows 7 and 8.1 can be hybrid joined but require additional configuration (device writeback in Azure AD Connect and specific updates).
Server devices: Windows Server can be Azure AD Joined or Hybrid Azure AD Joined, but not Workplace Joined.
Multiple users on one device: Azure AD Registered supports multiple user registrations; Azure AD Join supports only one user at a time (the primary user).
Offline scenarios: Azure AD Joined devices can still use cached credentials for up to 14 days (PRT lifetime). Hybrid Azure AD Joined devices can also use cached domain credentials.
How to Eliminate Wrong Answers Using the Underlying Mechanism
If the scenario mentions "on-premises Active Directory" and "Group Policy," eliminate Azure AD Join and Workplace Join. Only Hybrid Azure AD Join supports on-prem GP.
If the scenario says "personal devices" or "BYOD," eliminate Azure AD Join and Hybrid Azure AD Join. Choose Workplace Join.
If the scenario says "cloud-only" and "no on-premises infrastructure," eliminate Hybrid Azure AD Join. Choose Azure AD Join.
If the scenario requires "full management via Intune" and "company-owned," Azure AD Join is sufficient (no on-prem AD needed). But if on-prem AD exists and GP is needed, choose Hybrid.
Azure AD Join is for cloud-only environments; no on-prem AD needed.
Hybrid Azure AD Join requires on-prem AD and Azure AD Connect; enables SSO to both cloud and on-prem resources.
Workplace Join (Azure AD Registered) is for personal/BYOD devices; no management by organization.
Default device join limit per user is 10 for Azure AD Join.
PRT lifetime is 14 days, renewable.
Hybrid Azure AD Join scheduled task runs every 30 minutes.
Windows Hello for Business is supported on Azure AD Join and Hybrid Azure AD Join, not on Workplace Join.
Conditional access can target all three join types.
These come up on the exam all the time. Here's how to tell them apart.
Azure AD Join
No on-premises AD required
Device joined directly to Azure AD
Managed via Intune/MDM only
Suitable for cloud-only organizations
User can join up to 10 devices by default
Hybrid Azure AD Join
Requires on-premises AD and Azure AD Connect
Device joined to on-prem AD and registered in Azure AD
Managed via Group Policy and optionally Intune
Suitable for organizations with existing on-prem AD
Device limit is not enforced by Azure AD (on-prem limit applies)
Mistake
Azure AD Join requires an on-premises Active Directory.
Correct
Azure AD Join is a cloud-only model that does not require any on-premises infrastructure. The device joins directly to Azure AD.
Mistake
Hybrid Azure AD Join and Azure AD Join are the same.
Correct
Hybrid Azure AD Join requires an on-premises AD and sync via Azure AD Connect. Azure AD Join does not. Hybrid devices are managed by both Group Policy and Intune; Azure AD Join devices are managed only by Intune.
Mistake
Workplace Join (Azure AD Registered) provides full device management.
Correct
Workplace Join only registers the device; it does not provide management unless the user voluntarily enrolls in MDM. It is intended for BYOD scenarios where the organization does not manage the device.
Mistake
All three join types support Windows Hello for Business.
Correct
Windows Hello for Business is supported on Azure AD Join and Hybrid Azure AD Join, but not on Azure AD Registered devices.
Mistake
You can have more than 10 devices per user with Azure AD Join by default.
Correct
The default limit is 10 devices per user. This can be increased by an administrator, but the default is 10.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure AD Join joins a device directly to Azure AD without any on-premises infrastructure. Hybrid Azure AD Join joins a device to an on-premises Active Directory and also registers it with Azure AD via Azure AD Connect. The key difference is that Hybrid Azure AD Join requires an existing on-prem AD and sync, while Azure AD Join does not. Hybrid devices can be managed by both Group Policy and Intune; Azure AD Join devices are managed only by Intune (or other MDM).
Technically yes, but it is not recommended. Workplace Join (Azure AD Registered) is designed for personal devices (BYOD) where the organization does not manage the device. For company-owned devices that need to be managed (e.g., enforce compliance, push policies), you should use Azure AD Join or Hybrid Azure AD Join.
No, Hybrid Azure AD Join works with Azure AD Free. However, to use conditional access policies that require device compliance, you need Azure AD Premium P1 or P2 licenses for the users. The join itself does not require premium licenses.
Run `dsregcmd /status` from a command prompt on the device. Look for the "AzureAdJoined" field. If it says "YES" and the "DomainName" is your Azure AD tenant (e.g., contoso.onmicrosoft.com), it is Azure AD Joined. If the "DomainName" shows your on-premises domain (e.g., contoso.com), it is Hybrid Azure AD Joined. You can also check in Azure AD portal under Devices > All devices and look at the Join Type column.
The default limit is 10 devices per user. An administrator can increase this limit in the Azure AD settings. This limit applies only to Azure AD Join and Hybrid Azure AD Join, not to Workplace Join (which has no per-user limit).
No. A device can only have one join type. However, a device that is Azure AD Joined or Hybrid Azure AD Joined is automatically considered registered (Azure AD Registered) for the purpose of device identity. But you cannot have both join types simultaneously.
A Primary Refresh Token (PRT) is a JSON Web Token issued by Azure AD to a device after registration. It is used to obtain access tokens for cloud resources without requiring the user to re-authenticate. The default lifetime is 14 days, and it is automatically renewed while the device is connected to the internet and the user's session is active.
You've just covered Azure AD Join vs Hybrid Azure AD Join vs Workplace Join — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?