Getting Started with Microsoft Entra Registered Devices

Learn how Microsoft Entra-registered devices can help businesses manage and secure various device types while providing necessary access and maintaining compliance.

The shift to remote work and the popularity of bring your own device (BYOD) policies make supporting secure access from various device types a business necessity. The variety of operating systems that run on client devices further complicates balancing security and functionality. In this context, robust device management is crucial for safeguarding critical data while providing necessary access to eligible users and maintaining compliance and control.

Microsoft Entra-registered devices help businesses solve this problem at scale by supporting device registration and assigning devices with identities that enable secure resource access. In this article, we discuss how the Microsoft Entra registered devices method works and the steps to register devices on Entra.

Summary of key Microsoft Entra Registered device concepts

The table below summarizes the key Microsoft Entra Registered device concepts and terminologies used in this article.
Concepts Description
Microsoft Entra A unified Identity and Access Management platform providing authentication, conditional access, MFA, governance, and more. 
Microsoft Intune The cloud-based service for managing devices and applications with security policies.
Device A physical or virtual endpoint that is managed using Microsoft Entra.
Hybrid identity An identity that is present on-premises and in the cloud allows unified authentication across both. 
Bring your own device (BYOD) A modern device policy that allows employees and contractors to use their personal devices for work.
Mobile device management (MDM) A solution that provides management capabilities for mobile devices, mainly across monitoring, enforcing security, and compliance
 

Identity for devices

A device is a laptop, desktop, mobile phone, or a more modern entity such as an IoT device or even an AI agent. 

Identities for devices enable identity administrators and security teams to implement device access controls for applications, data, and resources.  

The devices are created in Microsoft Entra using the Device Registration Service or by Intune. In Microsoft Entra, a device can get an identity in one of the following ways:

  • Microsoft Entra registration
  • Microsoft Entra join
  • Microsoft Entra hybrid join

In this article, we will focus on the first method, Microsoft Entra registration, in which the devices are simply registered and not joined. 

Microsoft Entra Registered devices

Microsoft Entra Registered devices, also called Workplace joined devices, are personal devices registered by users using their Entra ID to access organizational resources. They enable BYOD, especially mobile device scenarios where users/employees can access organizational resources and data using their personal devices. 

These devices can be further enrolled in an MDM tool like Microsoft Intune to enable and enforce additional control mechanisms such as encryption and password complexity. 

The devices can be end-user/employee-owned or organization-owned. In simple words, Microsoft Entra is aware of the device but does not require that the user use an organization ID to authenticate to the device. 

Device management using Microsoft Entra. (Source)

Device management using Microsoft Entra. (Source)

Enrollment with Microsoft Intune or Mobile Device Management for Office 365 requires Device Registration.

Microsoft Entra Registered device features

While device registration does not provide complete device control, there are still many useful features, such as: 

  • Unique identification: Registering devices creates a unique identity for the device associated with the user account.
  • Secure access to resources: The registration enables secure access to organizational resources like Microsoft 365 applications, OneDrive, SharePoint, or other custom SaaS applications built by the organization.
  • Cross-platform support: Microsoft Entra registration provides broad compatibility supporting multiple operating systems/platforms such as Windows, macOS, iOS, and Android.
  • Multifactor authentication (MFA): Device registration supports requiring MFA during registration. 
  • Conditional access: When enrolled in an MDM like Intune, security administrators can enable conditional access, such as blocking access to non-compliant devices. 
  • Single sign-on (SSO): Avoid repeated logins, enabling SSO to access organizational resources. 
  • Monitoring and visibility: Security teams can monitor sign-ins and other activities, though limited, and get visibility into devices and their usage. 

Supported operating systems and platforms

The following operating systems and platforms can be onboarded as Microsoft Entra Registered devices:

  • Windows 10 or newer
  • macOS 10.15 or newer
  • iOS 15 or newer
  • Android
  • Linux:
    • LTS versions of Ubuntu 20.04, 22.04, 24.04
    • Red Hat Enterprise Linux 8, 9

Provisioning devices

The table below shows the provisioning methods each platform supports.

PlatformProvisioning Method
Windows 10, 11Register the device using the Access work or school option in Accounts under Settings
iOS/Android
  • Use the Microsoft Authentication app for simple registration 
  • Use the Company Portal app for Intune-based enrollment
macOS
  •  
  • Use the Company Portal app for Intune-based enrollment

Sign-in options

Microsoft Entra registered devices can use one of the multiple sign-in options supported, such as:

  • Password
  • PIN
  • Windows Hello
  • Device local credentials
  • Biometrics

Use cases for Microsoft Entra Registered devices

The Microsoft Entra Registered devices are ideal for use cases where organizations need a lightweight and flexible access control method for multiple devices. Specific examples of common use cases include:

  • Device access for contractors, guests, and vendors
  • BYOD support for employees 
  • Enabling users to access resources from a wide range of platforms

Manage, Monitor & Recover AD, Azure AD, Office 365

Inline promotional card - default cards_Img3

Unified Console

Use a single tool to administer and secure AD, Azure AD, and Office 365

Inline promotional card - default cards_Img1

Track Threats

Monitor AD for unwanted changes – detect for security or critical functions

Inline promotional card - default cards_Img2

Instant Recovery

Recover global enterprise-wide Active Directory forests in minutes, not days 

Microsoft Entra Registered vs. Joined vs. Hybrid Joined

Choosing between the three device join types depends on factors such as who owns and manages the device, who owns the data, cloud-first or hybrid environment, and what features/capabilities are needed. The following table provides a high-level overview, and the difference between these device join types:

 Microsoft Entra RegisteredMicrosoft Entra
Joined
Microsoft Entra
Hybrid Joined
Device typeUser-owned (or personal) deviceCompany-owned deviceCompany-owned device
Join statusDevices are not joined to either an on-premises AD or Microsoft EntraDevices are joined to Microsoft Entra onlyDevices are joined to an on-premises AD and Microsoft Entra
Authentication 
  • Device authentication using a local ID
  • Requires Microsoft Entra ID for accessing resources
Device authentication using Microsoft Entra IDDevice authentication using an identity that exists both in on-prem AD or Microsoft Entra ID
Authentication types supportedOAuth, SAMLOAuth, SAMLKerberos/NTLM, LDAP, OAuth, SAML
OS/platform supportWindows 10 and above, iOS, Android, macOS 10.15 and above, Ubuntu Linux 20.04/22.04/24.04 LTS, Red Hat Enterprise Linux 8 and 9Windows 10 and 11, excluding Windows Home EditionsWindows 8.1, 10, and 11, excluding Windows Home Editions, Windows Server editions 2008 and above
Device sign-in methodsPassword, PIN, Windows Hello, Device local credentials, BiometricsPassword, Windows Hello for Business, FIDOPassword, Windows Hello for Business (Windows 10 and above)

How to register devices with Microsoft Entra

In this tutorial, we will learn how to enable device registration, enable MFA (optional), register, and view a device in the Microsoft Entra admin center

Enable device registration

One of the first things you must do is allow users to register their devices with Microsoft Entra. 

You can enable this in Device settings under Devices in the Microsoft Entra admin center. In most cases, this is already enabled and set to All.

Allow Users to Register Devices

Allow Users to Register Devices

Manage, Monitor & Recover AD, Azure AD, M365, Teams

PlatformAdmin FeaturesSingle Console for Hybrid
(On-prem AD, Azure AD, M365, Teams)
Change Monitoring & AuditingUser Governance
(Roles, Rules, Automation)
Forest Recovery in Minutes
Microsoft AD Native Tools    
Microsoft AD + Cayosoft

This setting is automatically set to All and disabled from further changes if you have configured Enrollment with Microsoft Intune or Mobile Device Management for Office 365.

NOTE: Device registration is mandatory for enrollment to MDM.

Allow Users to Register Devices Disabled

Allow Users to Register Devices Disabled

Require MFA (optional)

For security reasons, you may require MFA when registering devices with Microsoft Entra. There are two ways to do this:

  1. With Conditional Access (recommended) which requires enrolling devices in Intune. Note you must have a Microsoft Entra Premium license. 
  2. Without Conditional Access

In the Microsoft Entra admin center, you can turn on the option to require MFA (without Conditional Access) in the Device settings under Devices.

Turning on Require MFA

Turning on Require MFA

Registering a Windows device

To register a Windows device, go to Settings and select Accounts. Select the Access work or school option on the left and click Connect.

Register a Windows Device

Register a Windows Device

Learn why U.S. State’s Department of Information Technology (DOIT) chose Cayosoft

Sign in using a Microsoft Entra ID and complete the sign-in process. Do not click any of the Join this device options at the bottom. They are for Microsoft Entra joined scenarios.

Sign in using Microsoft Entra ID

Sign in using Microsoft Entra ID

Registering an iOS device

Use the Microsoft Authenticator app to register an iOS or Android device to Microsoft Entra. In the app, click the menu icon on the left and select Settings. Next, select

Registering an iOS Device Workflow

Registering an iOS Device Workflow

In the next step, enter an organizational email (Microsoft Entra ID) and complete the sign-in process. Once the sign-in process is complete, the device is registered.

For an Android device, the steps are similar using the Microsoft Authentication app.

Viewing registered devices in Microsoft Entra

You can view and manage the registered devices either from Microsoft Entra in Azure or from the Microsoft Entra admin center.

To manage devices through the Microsoft Entra admin center, expand Identity followed by Devices in the left navigation menu and select Overview.

Viewing Devices in Microsoft Entra

Viewing Devices in Microsoft Entra

It is important to note that simply registering a device in Microsoft Entra does not enroll the devices. For device enrollment, a Mobile Device Management (MDM) such as Microsoft Intune is required. More details on device enrollment can be found in the Microsoft enrollment guide. 

Managing Devices using Cayosoft

Cayosoft is a leader in Active Directory and Entra management, monitoring, and recovery solutions and has products that can help you manage registered devices.

For devices that are simply registered and not managed through Intune, you can use Cayosoft Administrator to view them and move them to Azure AD Administrative units. You can also modify certain properties associated with these registered devices. Cayosoft Guardian monitors changes to these devices but cannot recover them since they are not Intune-managed. 

Using the Administrator web portal, users can enable, disable, delete, and update the properties of Intune-managed devices. Additionally, Guardian collects changes in the properties of Intune-managed devices and can help recover Intune devices or policies, which is not natively possible with Microsoft Entra.

Learn why U.S. State’s Department of Information Technology (DOIT) chose Cayosoft

Conclusion

While Microsoft Entra offers robust device registration capabilities, many organizations struggle with the practical realities of maintaining visibility and control across their hybrid identity infrastructure.

Cayosoft’s unified management platform bridges these gaps by providing a single pane of glass for your entire Entra device ecosystem. Our solution gives you real-time visibility into device registration status, automates critical lifecycle processes, and maintains detailed audit logs of all device identity changes.

Organizations using Cayosoft report a considerable reduction in device management tasks and faster incident response when security issues arise. To know more about how Cayosoft can transform your Entra device management experience – request a personalized demo today at here

Like This Article?​

Subscribe to our LinkedIn Newsletter to receive more educational content

Explore More Chapters