Demystifying Azure AD Registered Devices
In the modern landscape of interconnected devices and remote work, understanding the fundamentals of Azure AD Registered Devices is crucial. This blog serves as a comprehensive guide to shed light on what Azure AD Registered Devices entail and how to register devices with Azure Active Directory.
Table of Contents
Watch the video
To learn what are Azure AD registered devices and how to register devices with Azure AD, please watch this video on our YouTube channel.
What are Azure AD Registered devices?
A device identity is an object in Azure Active Directory. Like we have users, groups, or applications in Azure AD, similarly devices are also an object in Azure Active Directory. There are 3 ways you can add a device to Azure AD as a device identity:
- Azure AD Registration
- Azure AD Join
- Hybrid Azure AD Join
In this particular article we will focus on Azure AD Registered Devices. So let’s understand what is Azure AD registered device and how does it work.
Azure AD registered devices are the personal devices. These are also called Bring Your Own Device (BYOD).
The supported operating system for Azure AD Registered devices are, Windows, MAC Opearting System, iOS or Android. If a user has a personal computer or a personal mobile phone, he can register that device with Azure AD. The user will login to these devices with his personal account, but during registration process he will have to enter his Azure AD credentials.
How does Azure AD Registration work?
So let’s understand how Azure AD device registration process works.
- When a user will try to register a personal device with Azure AD, he will enter his Azure AD credentials within the device.
- Azure AD will perform authentication on this user account. Once user is authenticated, this device will get registered in Azure AD, and a device identity will be created in Azure Active Directory. During this process, Azure AD will push a certificate to this device so that Azure Active Directory can trust this device.
- Once registration process is completed, single sign-on feature will be enabled on this device. That means when this user will login to any application within Microsoft 365/Azure, this user will not be asked to enter his credentials.
- So once a device identity is created in Azure Active Directory, you can manage this device using MDM or MAM policies using Intune. Or you can control the access of these devices using Conditional Access policies.
How to register a device with Azure AD?
I am going to register a Windows 10 machine with Azure AD. I am logged in to this machine with my personal account. That means this is a personal device. And this machine is not joined to any domain. So this is a workgroup machine.
I have created a user “[email protected]” in Azure AD, and I will use this account to register Windows 10 machine with Azure AD.
1. In Windows 10 machine, go to Settings > Accounts > Access work or school.
Click Connect, enter the user principal name of the Azure AD user and click Next. On the next screen, enter password and click Sign in.
If your login is successful, you will see a screen as shown below:
And you will the user’s account added under Access work or School as shown below:
Validate if device is registered with Azure AD
To validate if Windows 10 device was successfully registered with Azure AD, follow one of the below steps:
1. Go to Azure > Microsoft Entra ID > Devices > All Devices. On this screen you will see the device that you registered with Azure AD. Please see screenshot below:
2. Open command prompt on the machine and run dsregcmd /status.
If Workplace Joined is set to Yes, that means the device is registered with Azure AD.
3. Now let me show you the certificate that Azure AD pushes to the device. Go to Machine, open RUN, type MMC and hit Enter. Click File > Add/Remove snap-in, select Certificates and click Add. Select My user account and click Finish and click OK.
Expand Certificates – Current User, expand Personal and go to Certificates. Here you will see a certificate that is pushed to this device from Azure AD.
4. And the last way to validate Azure AD device registration is Event Viewer logs.
Go to Event Viewer > Applications and services logs > Microsoft > Windows >User Device Registration > Admin.
I hope this article was helpful and informative. You can follow this article to know the background process of Azure AD device registration and this can also help you to troubleshoot device registration in Azure AD.
Related articles
We welcome you to browse our other blogs on Azure Active Directory:
What is Azure Active Directory
What is Self Service Password Reset
Mastering Conditional Access policies
A Guide to Passwordless Authentication Using Authenticator App
Top 40+ Azure Active Directory interview questions and answers
Azure AD Multi-Factor Authentication and Security Defaults
Users and Groups in Azure AD
Simple steps to add domain in Azure Active Directory
Happy Learning!!