Microsoft Entra ID

Device Management in Entra ID: Complete Guide to Joined, Registered Devices & Troubleshooting

📅 July 9, 2026 ✍️ By Cloud Knowledge ⏱️ 45 min read 📂 Tech
🎯 Focus Keyword: “Device management in Entra ID” — This comprehensive guide covers every aspect of device management in Entra ID, from device join types to advanced troubleshooting. You’ll find this key phrase woven throughout to help you master the complete device identity lifecycle in Microsoft’s cloud-based identity platform.

1. Introduction to Device Management in Entra ID

In today’s modern, cloud-first enterprise landscape, device management in Entra ID has become a cornerstone of identity and access security. Microsoft Entra ID (formerly Azure Active Directory) serves as the identity backbone for millions of organizations worldwide, and its device management capabilities are essential for enforcing security policies, enabling seamless single sign-on (SSO), and maintaining visibility across all endpoints that access corporate resources. Whether your workforce uses corporate-owned laptops, personal smartphones under BYOD policies, or on-premises domain-joined servers synced to the cloud, device management in Entra ID provides the framework to govern every device identity with precision.

The evolution from traditional on-premises Active Directory to cloud-native identity management has transformed how IT administrators approach endpoint security. No longer are devices managed solely through Group Policy Objects (GPOs) and domain membership. Today, device management in Entra ID leverages modern authentication protocols—including those detailed in our comprehensive guide on OAuth 2.0 and OpenID Connect—to deliver token-based device authentication that is both more secure and more flexible than legacy Kerberos-based approaches.

This guide is your definitive resource for understanding every facet of device management in Entra ID. We will explore the three primary device identity types: Entra ID joined, Entra ID registered, and hybrid Entra ID joined devices. We’ll dive deep into how device registration works under the hood, the critical role of the Primary Refresh Token (PRT), how to configure device settings and compliance policies, and most importantly, how to troubleshoot common device issues that plague administrators. Along the way, we’ll answer 10 frequently asked questions and share best practices drawn from real-world experience. For those also working with third-party identity providers, our guide on Okta SSO setup with Salesforce offers complementary insights into federated identity scenarios.

💡 Key Takeaway: Effective device management in Entra ID is not just about registering devices—it’s about creating a comprehensive device identity strategy that integrates with conditional access, compliance policies, mobile device management (MDM), and continuous access evaluation to protect your organization’s data wherever it resides.

2. What Is Device Management in Entra ID?

Device management in Entra ID refers to the suite of capabilities within Microsoft Entra ID that enable organizations to register, join, configure, monitor, secure, and retire devices that access corporate resources. It encompasses the entire device lifecycle—from the moment a device is first enrolled to when it is decommissioned or becomes stale. The core objective of device management in Entra ID is to establish a trusted device identity that can be used in authentication and authorization decisions, ensuring that only known, healthy, and compliant devices can access sensitive corporate data.

At its heart, device management in Entra ID bridges the gap between the physical endpoint and the cloud identity. When a device is registered or joined in Entra ID, a device object is created in the directory. This device object has a unique device ID, carries metadata such as the operating system version, device owner, join type, and compliance status, and can be targeted by conditional access policies. The device identity becomes a first-class citizen in the Entra ID ecosystem, right alongside user identities and service principals. For administrators who also manage Okta workflows and automations, similar device trust concepts apply across identity platforms.

2.1 Core Components of Device Management in Entra ID

  • Device Registration: The process by which a device creates an identity object in Entra ID. This is the foundational step for all device management in Entra ID scenarios.
  • Device Join: A stronger form of registration where the device establishes a deeper trust relationship with Entra ID, enabling features like Windows Hello for Business and seamless SSO.
  • Device Compliance: Policies evaluated by Microsoft Intune (or a third-party MDM) that determine whether a device meets organizational security requirements. Compliance is a critical pillar of device management in Entra ID.
  • Conditional Access: Policies that gate access to resources based on device state, including whether the device is joined, registered, compliant, or hybrid-joined.
  • Device Writeback: The synchronization of device objects from Entra ID back to on-premises Active Directory, enabling hybrid scenarios.
  • Device Cleanup: Automated and manual processes to remove stale, inactive, or decommissioned devices from the directory.

The importance of robust device management in Entra ID cannot be overstated. According to Microsoft’s Digital Defense Report, over 80% of security breaches involve compromised endpoints. By ensuring that every device accessing your tenant is known, trusted, and compliant, you dramatically reduce the attack surface. For a deeper look at how authentication protocols underpin device trust, our SAML tracer deep dive article explains how to capture and decode SAML assertions that carry device claims during SSO transactions.

3. Device Identity Types in Entra ID

A successful device management in Entra ID strategy begins with understanding the three primary device identity types. Each type serves a distinct purpose and aligns with different organizational scenarios. Choosing the right device identity type is crucial because it determines the level of security, the user experience, and the management capabilities available for each endpoint.

3.1 Entra ID Joined Devices

An Entra ID joined device represents the gold standard for corporate-owned, cloud-native device management. When a device is Entra ID joined, it signs in exclusively with an organizational account (e.g., user@contoso.com) and is fully managed through device management in Entra ID and Microsoft Intune. This is the recommended configuration for organizations that are cloud-first and do not rely heavily on on-premises Active Directory. Entra ID joined devices receive a Primary Refresh Token (PRT) which enables true device-based conditional access and seamless SSO to both cloud and on-premises resources (when configured with Entra Connect and appropriate Kerberos trust).

Key characteristics of Entra ID joined devices:

  • Ownership: Corporate-owned, fully managed by the organization.
  • Sign-in: Organizational account only; no local account or personal Microsoft account for primary sign-in.
  • SSO: Seamless SSO to cloud apps and on-premises resources (with proper hybrid configuration).
  • PRT: Full Primary Refresh Token issued, stored in CloudAP, protected by TPM.
  • Management: Fully manageable via Intune MDM, including compliance policies, configuration profiles, and app deployment.
  • Windows Hello for Business: Fully supported with biometric and PIN-based authentication.
  • Conditional Access: Satisfies “Require device to be marked as compliant” and “Require Entra ID joined device” grant controls.

Device management in Entra ID for joined devices is the most comprehensive. Administrators can push configuration profiles, enforce disk encryption (BitLocker), manage firewall rules, deploy software, and even remotely wipe the device if it’s lost or stolen. The deep integration between Entra ID joined devices and Microsoft Intune makes this the preferred choice for organizations provisioning new Windows 10/11 laptops to employees. For a practical video demonstration, check out our step-by-step video tutorial on device identity troubleshooting that walks through common Entra ID join scenarios.

💡 Pro Tip: When setting up Entra ID joined devices, ensure the out-of-box experience (OOBE) network has access to the required Microsoft endpoints. Blocked URLs are one of the most common reasons for Entra ID join failures. Use the dsregcmd /status command post-join to verify the device state.

3.2 Entra ID Registered Devices

Entra ID registered devices cater to bring-your-own-device (BYOD) scenarios and personal devices that need lighter-touch access to corporate resources. Unlike Entra ID joined devices, registered devices do not require an organizational account for the primary device sign-in. Instead, users can sign in with a local account or a personal Microsoft account and then add their work or school account to specific applications (like Microsoft Teams, Outlook, or the Company Portal app). This makes device management in Entra ID for registered devices more about application-level protection than full device control.

Key characteristics of Entra ID registered devices:

  • Ownership: Typically personal/BYOD, though can also be corporate-owned in specific scenarios.
  • Sign-in: Primary sign-in with local account or personal Microsoft account; work account added at the application level.
  • SSO: Limited SSO; primarily for the applications where the work account is added.
  • PRT: A limited or “lightweight” PRT may be issued depending on the platform (iOS, Android, Windows).
  • Management: Managed via Intune MAM (Mobile Application Management) rather than full MDM; organizational data is protected within managed apps.
  • Conditional Access: Can satisfy “Require approved client app” and “Require app protection policy” controls, but typically does not satisfy full device compliance requirements.

The beauty of device management in Entra ID is its flexibility—registered devices coexist peacefully alongside joined devices in the same tenant. For instance, an employee might have an Entra ID joined corporate laptop and an Entra ID registered personal iPhone, both accessing corporate email through Outlook. The administrator can apply different policies to each device type, ensuring corporate data is protected on the personal phone through app protection policies (preventing copy/paste to personal apps, requiring PIN on the corporate app, etc.) without intruding on the user’s personal photos, messages, or other private data.

3.3 Hybrid Entra ID Joined Devices

Hybrid Entra ID joined devices represent the bridge between on-premises Active Directory and the cloud. In this scenario, a device is joined to an on-premises AD domain and also registered/joined in Entra ID through Microsoft Entra Connect synchronization or through the device’s own awareness of the tenant. This is the most common configuration for organizations that have existing on-premises infrastructure and are gradually transitioning to the cloud. Device management in Entra ID for hybrid joined devices combines the strengths of both worlds—on-premises Group Policy management and cloud-based conditional access.

Key characteristics of hybrid Entra ID joined devices:

  • Ownership: Corporate-owned, managed through both on-prem AD and cloud.
  • Sign-in: Primary sign-in with on-premises domain account; cloud identity is linked via Entra Connect.
  • SSO: Seamless SSO to both on-premises resources (file shares, printers, legacy apps) and cloud apps.
  • PRT: Full PRT issued when the user signs in on a hybrid joined Windows 10/11 device.
  • Management: Dual management—GPOs for on-premises settings, Intune for cloud-based policies and compliance.
  • Conditional Access: Satisfies “Require hybrid Entra ID joined device” grant control.

The hybrid join process relies on Microsoft Entra Connect to synchronize the device objects from on-premises AD to Entra ID. Once synchronized, the device appears in the Entra admin center with a join type of “Hybrid Entra ID joined.” Administrators can then apply conditional access policies that require hybrid join status, ensuring that only domain-joined, corporate-managed devices can access sensitive cloud applications. For organizations navigating complex identity federation setups, our detailed tutorial on Okta SSO setup with Salesforce SAML 2.0 demonstrates how third-party IdPs interact with device claims in hybrid environments.

⚠️ Important: Hybrid Entra ID join requires careful planning around Service Connection Points (SCP) in your on-premises AD forest. The SCP tells domain-joined Windows devices which Entra ID tenant to register with. Misconfigured SCPs are a leading cause of hybrid join failures. Always validate your SCP configuration using the dsregcmd /status command and verify the tenant ID and tenant name fields.

3.4 Comparison Table: Device Identity Types

Feature Entra ID Joined Entra ID Registered Hybrid Entra ID Joined
Primary Sign-in Organizational account Local / Personal Microsoft account On-premises domain account
Device Ownership Corporate Personal (BYOD) Corporate
PRT Issued ✅ Full PRT ⚠️ Limited / Platform-dependent ✅ Full PRT
Windows Hello for Business ✅ Fully supported ❌ Not supported ✅ Fully supported
MDM Management ✅ Full Intune MDM ⚠️ MAM only ✅ Intune + GPO
Conditional Access Require compliant / joined App protection policies Require hybrid joined
On-prem SSO ✅ With Kerberos Cloud Trust ❌ Limited ✅ Native Kerberos
Offline Authentication ✅ PRT cached (14 days) ⚠️ App-dependent ✅ PRT + cached credentials
Best For Cloud-native, new deployments BYOD, contractors, personal devices Existing on-prem AD environments

Table: Comprehensive comparison of device identity types in device management in Entra ID

4. How Device Registration Works in Entra ID

Understanding the underlying mechanics of device registration is essential for effective device management in Entra ID. When a user (or the system itself) initiates device registration, a series of cryptographic operations and network calls occur that ultimately result in a trusted device object in the Entra ID directory. Let’s walk through this process step by step.

4.1 The Device Registration Flow

  1. Discovery of Tenant Information: The device discovers the Entra ID tenant it should register with. For Windows devices, this happens through the Service Connection Point (SCP) in on-premises AD (for hybrid join) or through the user providing the tenant information during the OOBE (for Entra ID join). The device queries https://enterpriseregistration.windows.net and related endpoints.
  2. Device Identity Creation: The device generates an asymmetric key pair (public and private key) using its TPM (Trusted Platform Module) if available. The private key never leaves the TPM; the public key is sent to Entra ID as part of the registration request. This creates a hardware-bound device identity—a cornerstone of secure device management in Entra ID.
  3. Authentication of the User/Device: The user authenticates with their organizational credentials. Entra ID validates the credentials and issues an access token. For Entra ID join, this happens during OOBE. For registration, it typically happens when the user adds their work account to an application.
  4. Device Object Creation: Entra ID creates a device object in the directory with a unique device ID (a GUID). The device object includes metadata like the device name, OS version, join type, and the public key. This device object is what administrators see in the Entra admin center under Devices > All devices.
  5. Certificate Issuance: Entra ID issues a device certificate (valid for 10 years by default) to the device. This certificate is stored in the device’s certificate store and is used for device authentication in certain scenarios, such as Kerberos Cloud Trust and legacy certificate-based authentication.
  6. PRT Issuance (for joined/hybrid devices): For Entra ID joined and hybrid joined devices, Entra ID also issues a Primary Refresh Token. The PRT is stored securely by the Cloud Authentication Provider (CloudAP) and is used for seamless SSO and device-based conditional access. This is a key differentiator in device management in Entra ID between fully managed and merely registered devices.
  7. MDM Enrollment (Optional but Recommended): If auto-enrollment is configured, the device is automatically enrolled in Microsoft Intune (or another MDM). This enables compliance policy evaluation, configuration profile deployment, and full device management in Entra ID capabilities.
🔐 Security Note: The TPM-backed key pair ensures that the device identity cannot be spoofed or exported to another device. This hardware root of trust is what makes device management in Entra ID so robust against impersonation attacks. Even if an attacker steals the device certificate, they cannot use it without access to the TPM-protected private key.

4.2 Endpoints Required for Device Registration

For successful device management in Entra ID, devices must be able to reach specific Microsoft endpoints. Firewall blocks or proxy misconfigurations are among the most common causes of device registration failures. Here are the critical endpoints:

  • https://enterpriseregistration.windows.net — Device registration service
  • https://login.microsoftonline.com — Authentication endpoint
  • https://device.login.microsoftonline.com — Device authentication
  • https://autologon.microsoftazuread-sso.com — Seamless SSO
  • https://*.manage.microsoft.com — Intune MDM enrollment
  • https://*.dm.microsoft.com — Device management services

For comprehensive network planning, ensure these URLs are allowed through your proxy and firewall. TCP port 443 (HTTPS) must be open. Some features also require port 80 (HTTP) for CRL checks and certificate revocation list downloads. The full scope of device management in Entra ID depends on uninterrupted connectivity to these endpoints.

5. The Primary Refresh Token (PRT) in Device Management in Entra ID

The Primary Refresh Token (PRT) is arguably the most important artifact in device management in Entra ID. It is a special type of refresh token that is issued only to Entra ID joined and hybrid Entra ID joined Windows 10/11 devices. The PRT enables single sign-on across applications, satisfies device-based conditional access policies, and supports Windows Hello for Business authentication. Without a valid PRT, a device cannot prove its identity to Entra ID in a way that satisfies the strictest device-based access controls.

5.1 How the PRT Works

When a user signs in to a Windows 10/11 device that is Entra ID joined or hybrid joined, the Cloud Authentication Provider (CloudAP) plug-in orchestrates the authentication flow. After the user successfully authenticates, CloudAP requests a PRT from Entra ID. The PRT is a JSON Web Token (JWT) that contains claims about the user and the device, including:

  • User claims: UPN, object ID, tenant ID, group memberships.
  • Device claims: Device ID, device join type, whether the device is compliant, the device’s trust type.
  • Session claims: Authentication method used, MFA status, session expiration.

The PRT is signed by Entra ID and encrypted with a session key that is protected by the device’s TPM. It is cached locally by CloudAP and is valid for 14 days. As long as the user actively uses the device, the PRT is automatically renewed. If the device is offline for more than 14 days, the PRT expires, and the user must re-authenticate. This mechanism is central to robust device management in Entra ID because it ensures that device trust is continuously validated.

5.2 PRT vs. Regular Refresh Tokens

Characteristic Primary Refresh Token (PRT) Regular Refresh Token (RT)
Issued To Entra ID joined & hybrid joined Windows devices Any authenticated application or browser session
Contains Device Claims ✅ Yes — Device ID, join type, compliance ❌ No — User claims only
Enables Device-Based CA ✅ Yes ❌ No
Validity Period 14 days (renewable) 90 days (configurable)
Storage Location CloudAP (TPM-protected) Token cache (in memory or disk)
Used for SSO ✅ Seamless across all apps ⚠️ Per-application scope

Table: PRT vs. Regular Refresh Token — a key concept in device management in Entra ID

✅ Best Practice: Regularly validate the PRT status on your managed devices using dsregcmd /status. Look for the “AzureAdPrt” field—it should show “YES” for healthy joined devices. If it shows “NO,” the device may not be able to satisfy device-based conditional access policies, undermining your device management in Entra ID security posture.

6. Device Settings and Policies Configuration

Centralized configuration is what makes device management in Entra ID powerful and scalable. From the Entra admin center, administrators can control device registration permissions, set device limits, configure local administrator roles, and define automatic MDM enrollment policies. Let’s explore each of these settings in detail.

6.1 Global Device Settings in Entra Admin Center

Navigate to Entra admin center > Devices > Device settings to access the following critical configurations for device management in Entra ID:

  • Users may join devices to Entra ID: Toggle this to “All,” “Selected,” or “None.” When set to “Selected,” you specify which users or groups can perform Entra ID joins. This is a vital control in device management in Entra ID because it prevents unauthorized device registrations.
  • Additional local administrators on Entra ID joined devices: By default, the user who joins the device is added to the local Administrators group. You can designate additional users or groups (like the IT support team) who should have local admin rights on all joined devices.
  • Users may register their devices with Entra ID: Controls whether users can register personal devices (BYOD). Typically set to “All” in most organizations, but can be restricted.
  • Maximum number of devices per user: Default is 50. You can set this lower (e.g., 10 or 20) to prevent device sprawl and encourage proper device management in Entra ID hygiene.
  • Maximum number of days a device can be inactive before it is considered stale: Default is 90 days. After this period, the stale device cleanup task automatically deletes the device object, unless it’s managed by Intune (in which case Intune’s retirement process applies).

6.2 MDM Auto-Enrollment Settings

A critical aspect of device management in Entra ID is ensuring that devices are automatically enrolled in your MDM solution (typically Microsoft Intune) as soon as they are joined or registered. To configure this:

  1. Go to Entra admin center > Devices > Device settings.
  2. Scroll to MDM enrollment and set the MDM user scope to “All” or “Selected” (if using group-based targeting).
  3. Set the MDM terms of use URL and discovery URL if required (Intune pre-fills these automatically).
  4. Repeat for MAM enrollment if you want to manage personal devices with app protection policies.
  5. Click Save.

Once configured, any device that undergoes device management in Entra ID registration or join will automatically trigger Intune enrollment. The user sees a notification to complete enrollment, and once enrolled, the device appears in both the Entra admin center and the Intune admin center. This integration is seamless and forms the backbone of modern endpoint management.

For organizations exploring identity automation beyond Microsoft’s native tools, our guide on Okta workflows and automations shows how similar device lifecycle processes can be automated across multi-IDP environments.

7. Conditional Access and Device Compliance in Device Management in Entra ID

Conditional Access is the enforcement engine of device management in Entra ID. While device registration and compliance provide the signals, Conditional Access policies act on those signals to grant or block access. A well-designed Conditional Access framework ensures that only healthy, trusted, and compliant devices can access your organization’s sensitive resources.

7.1 Device-Based Conditional Access Grant Controls

Within a Conditional Access policy, the following device-related grant controls are available:

  • Require device to be marked as compliant: The device must have a valid compliance status from Intune (or a third-party MDM). This is the strongest device-based control in device management in Entra ID.
  • Require hybrid Entra ID joined device: The device must be hybrid joined, proving it is both domain-joined on-premises and registered in Entra ID.
  • Require approved client app: The access must come from an approved application (like Outlook, Teams, Edge). This is relevant for Entra ID registered devices where full device compliance isn’t enforced.
  • Require app protection policy: The app must have an Intune app protection policy applied. Ideal for BYOD scenarios within your device management in Entra ID strategy.

7.2 Creating a Device Compliance Policy in Intune

For device management in Entra ID to be truly effective, you need compliance policies that define what “healthy” means for your organization. Here’s how to create one:

  1. Sign in to the Microsoft Intune admin center.
  2. Navigate to Devices > Compliance policies > Create policy.
  3. Select the platform (Windows 10/11, iOS, Android, macOS).
  4. Configure the compliance settings:
    • Device Health: Require BitLocker, Secure Boot, code integrity.
    • Device Properties: Set minimum/maximum OS versions.
    • System Security: Require password, set minimum password length, require firewall, antivirus, anti-spyware.
    • Actions for non-compliance: Define grace periods and actions like sending email notifications or remotely locking the device.
  5. Assign the policy to user or device groups.
  6. Click Create.

Once the compliance policy is assigned, devices are evaluated periodically (typically every 8 hours, or on check-in). Compliant devices can satisfy the “Require compliant device” Conditional Access grant. Non-compliant devices are blocked or given a grace period to remediate. This cycle is at the heart of automated device management in Entra ID.

⚠️ Watch Out: Compliance policy evaluation depends on the Intune management extension and the device check-in schedule. A device that was compliant yesterday may fall out of compliance today if, for example, BitLocker is suspended or the antivirus is disabled. Continuous access evaluation (CAE) helps by revoking access tokens in near real-time when compliance status changes, but not all applications support CAE yet. Always test your device management in Entra ID Conditional Access policies in report-only mode before enforcement.

For deeper insights into how authentication protocols carry device compliance claims, refer to our OAuth 2.0 and OpenID Connect guide, which explains the token structures that convey device state during authorization flows.

8. Troubleshooting Device Issues in Entra ID

Even the most carefully planned device management in Entra ID implementation will encounter issues. Devices fail to join, PRTs go missing, compliance status flips unexpectedly, and users get blocked by Conditional Access policies. This section provides a systematic approach to diagnosing and resolving the most common device-related problems. For visual learners, we have a dedicated step-by-step video guide that demonstrates these troubleshooting techniques in action.

8.1 The dsregcmd Command — Your Primary Diagnostic Tool

The dsregcmd command is the Swiss Army knife for troubleshooting device management in Entra ID on Windows devices. Run it from an elevated Command Prompt or PowerShell window to get a wealth of diagnostic information. Here are the most useful subcommands:

# Display comprehensive device registration status
        dsregcmd /status

        # Display only the device state (joined, registered, etc.)
        dsregcmd /status | findstr "AzureAdJoined"
        dsregcmd /status | findstr "EnterpriseJoined"
        dsregcmd /status | findstr "DomainJoined"

        # Check PRT status
        dsregcmd /status | findstr "AzureAdPrt"

        # Check if the device has a valid device certificate
        dsregcmd /status | findstr "DeviceCertificate"

        # Display the tenant information the device is registered with
        dsregcmd /status | findstr "TenantId"
        dsregcmd /status | findstr "TenantName"

        # Leave the current Entra ID tenant (useful for re-registration)
        dsregcmd /leave

        # Force a device registration sync
        dsregcmd /refreshprt

        # Debug device registration
        dsregcmd /debug

8.2 Common Issues and Resolutions

Issue Symptoms Resolution
Device Join Failure Error during OOBE: “Something went wrong” or error code 801c03ed Check network connectivity to enterpriseregistration.windows.net; verify user has join permissions; ensure device doesn’t exceed per-user limit; check if the device was previously registered and needs cleanup.
PRT Missing (AzureAdPrt: NO) Users prompted for credentials repeatedly; Conditional Access policies fail Run dsregcmd /refreshprt; check TPM status (tpm.msc); verify the CloudAP plug-in is enabled; check for proxy blocks to login.microsoftonline.com; consider leaving and re-registering the device.
Device Not Compliant Compliance status shows “Not compliant” or “In grace period” Check Intune compliance policy settings; verify device meets all requirements (BitLocker, AV, firewall, OS version); force a sync from the Company Portal app or Intune admin console; check for conflicting compliance policies.
Hybrid Join Not Working Device shows as “Pending” or “Registered” instead of “Hybrid joined” Verify Entra Connect sync is working; check the SCP configuration in AD; ensure the device object is in the correct OU being synced; validate that the user has logged in with their domain account; run dsregcmd /status and check “DomainJoined” and “AzureAdJoined” fields.
Stale Device Accumulation Hundreds or thousands of old devices in Entra admin center Configure automatic stale device cleanup in Device Settings; use PowerShell scripts with Get-MgDevice to bulk-remove old devices; implement a device lifecycle process as part of your device management in Entra ID strategy.
Conditional Access Blocking Users see “You cannot access this right now” error Check the Entra ID sign-in logs for the exact policy that blocked access; verify device compliance status; ensure the device is properly joined/registered; check if the user is using a supported browser (Edge with Entra ID extension, Chrome with Windows accounts extension).

8.3 Using SAML Tracer for Advanced Troubleshooting

When device-based Conditional Access policies involve federated applications using SAML, troubleshooting becomes more complex. The SAML assertion exchanged between Entra ID and the service provider may contain device claims that need to be validated. Our comprehensive SAML tracer deep dive article explains exactly how to capture, decode, and analyze these SAML assertions to pinpoint where device claims are being dropped or misinterpreted. For an extended tutorial on the same topic, visit our SAML tracer deep dive on Blogspot and the detailed Medium tutorial by our team. These resources are invaluable for any administrator serious about mastering device management in Entra ID troubleshooting.

🔍 Pro Troubleshooting Tip: Enable the Device Registration Service (DRS) debug logging by setting the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceRegistration\DebugLog to 1 (DWORD). This generates detailed logs in %windir%\debug\DRS.log that can reveal exactly where the registration process is failing. Remember to disable debug logging after troubleshooting to avoid performance impact. This is an advanced device management in Entra ID diagnostic technique that senior administrators swear by.

9. Device Cleanup and Lifecycle Management

An often-overlooked aspect of device management in Entra ID is the proper cleanup and retirement of devices. Over time, device objects accumulate—employees leave, hardware is decommissioned, test devices are abandoned. A cluttered device inventory not only makes management difficult but can also pose security risks if stale devices are still considered “trusted” by Conditional Access policies.

9.1 Automated Stale Device Cleanup

The most efficient way to handle device cleanup in device management in Entra ID is through the built-in stale device cleanup feature. Configure it as follows:

  1. Go to Entra admin center > Devices > Device settings.
  2. Locate “Maximum number of days a device can be inactive before it is considered stale and should be removed”.
  3. Set the value (e.g., 90 days) based on your organization’s policy.
  4. Click Save.

Once configured, Entra ID runs an automated job that identifies devices that haven’t connected to the tenant within the specified timeframe. These devices are flagged as stale and are automatically deleted. Note that this cleanup does not apply to devices managed by Intune—those must be retired through Intune’s device retirement workflow first. This distinction is important for comprehensive device management in Entra ID.

9.2 PowerShell for Bulk Device Cleanup

For more granular control, you can use Microsoft Graph PowerShell to query and remove devices programmatically:

# Connect to Microsoft Graph with required scopes
        Connect-MgGraph -Scopes "Device.ReadWrite.All", "Directory.AccessAsUser.All"

        # Get all devices that haven't been active in the last 90 days
        $cutoffDate = (Get-Date).AddDays(-90)
        $staleDevices = Get-MgDevice -All | Where-Object {
            $_.ApproximateLastSignInDateTime -lt $cutoffDate -and
            $_.TrustType -eq "Workplace" # Targets only registered devices
        }

        # Review before deleting
        $staleDevices | Select-Object DisplayName, DeviceId, ApproximateLastSignInDateTime | Format-Table

        # Remove stale devices (uncomment to execute)
        # foreach ($device in $staleDevices) {
        #     Remove-MgDevice -DeviceId $device.Id
        #     Write-Host "Removed device: $($device.DisplayName)" -ForegroundColor Green
        # }

This script is a powerful tool for maintaining hygiene in your device management in Entra ID environment. Schedule it as an Azure Automation runbook to run monthly, keeping your device inventory clean and manageable. For those interested in cross-platform identity automation, our Okta workflows and automations guide demonstrates similar lifecycle automation patterns for Okta-managed device environments.

9.3 Device Retirement Process

A formal device retirement process is essential for mature device management in Entra ID:

  • Step 1: Identify the device to be retired (employee offboarding, hardware refresh, etc.).
  • Step 2: If managed by Intune, issue a Retire or Wipe command from the Intune admin center. Retire removes corporate data; Wipe factory-resets the device.
  • Step 3: Once Intune retirement completes, delete the device object from Entra ID (or let the stale cleanup handle it naturally).
  • Step 4: If hybrid joined, also remove the device from on-premises AD.
  • Step 5: Document the retirement for audit purposes.

10. Frequently Asked Questions (FAQs) About Device Management in Entra ID

Below are the 10 most commonly asked questions about device management in Entra ID, answered in detail by our team of identity experts. These FAQs cover everything from basic concepts to advanced troubleshooting scenarios. For even more in-depth coverage of identity and authentication topics, explore our authentication policies guide on Medium which follows a similar FAQ format for Okta environments.

What is the difference between Entra ID joined and Entra ID registered devices?

An Entra ID joined device is owned by the organization and provides seamless SSO access to both on-premises and cloud resources using an organizational account. It receives a full Primary Refresh Token (PRT), supports Windows Hello for Business, and can satisfy the strictest Conditional Access device controls. An Entra ID registered device is typically a BYOD or personal device where users sign in with a local account or a personal Microsoft account alongside their work account, offering a lighter level of device identity. Registered devices are ideal for scenarios where full device management isn’t desired, but organizational data still needs protection through app-level policies. Effective device management in Entra ID leverages both types appropriately based on the device ownership and use case.

How does the Primary Refresh Token (PRT) work in device management in Entra ID?

The Primary Refresh Token (PRT) is a key artifact issued to Entra ID joined and hybrid joined devices during authentication. It is obtained when a user signs in with their organizational credentials on a Windows 10/11 device that is joined to Entra ID. The PRT enables seamless SSO, satisfies device-based conditional access policies, and supports Windows Hello for Business. It is stored securely in the cloud authentication provider (CloudAP) plug-in and is protected by the device’s TPM. The PRT is valid for 14 days and is automatically renewed as long as the user actively uses the device. Understanding PRT behavior is crucial for effective device management in Entra ID because a missing or expired PRT is the root cause of many access issues.

Can I have both Entra ID joined and Entra ID registered devices in the same tenant?

Yes, absolutely. Microsoft Entra ID supports a mixed environment where you can have Entra ID joined devices, Entra ID registered devices, and hybrid Entra ID joined devices all coexisting within the same tenant. This flexibility is one of the greatest strengths of device management in Entra ID. It allows organizations to support diverse scenarios including corporate-owned fully managed devices (joined), BYOD scenarios (registered), and on-premises domain-joined devices synced to Entra ID (hybrid joined). Administrators can apply different Conditional Access policies to each device type, ensuring appropriate security controls for each scenario.

How do I troubleshoot device registration failures in Entra ID?

To troubleshoot device registration failures: (1) Run dsregcmd /status on Windows devices and examine the output for error codes and join status. (2) Check the Entra ID sign-in logs in the Entra admin center for device registration events and failure reasons. (3) Verify the device is not exceeding the per-user device quota (default 50 devices). (4) Ensure the endpoint URLs (enterpriseregistration.windows.net, login.microsoftonline.com) are accessible and not blocked by proxy or firewall. (5) Review the Event Viewer under Applications and Services Logs > Microsoft > Windows > User Device Registration for detailed error messages. (6) Check TPM functionality via tpm.msc. For SAML-related device issues, our SAML tracer deep dive provides additional diagnostic techniques. These steps form the core troubleshooting methodology for device management in Entra ID.

What is the device limit per user in Entra ID and how can it be managed?

By default, a single user can register or join up to 50 devices in Microsoft Entra ID. This limit is configurable in the Entra admin center under Devices > Device settings. Administrators can increase or decrease this number based on organizational requirements. When the limit is reached, the user cannot register or join any additional devices until existing stale or unused devices are removed. Best practices for device management in Entra ID include implementing a device cleanup policy to automatically remove inactive devices after a specified period and monitoring the device count per user to proactively manage the quota. For users who need more than 50 devices (e.g., developers, testers), consider creating a separate administrative process to approve exceptions.

How does device writeback work in Entra Connect?

Device writeback is a feature in Microsoft Entra Connect that allows devices registered or joined in Entra ID to be written back to on-premises Active Directory. This enables the device object to exist in both directories, facilitating scenarios where on-premises resources like AD FS relying party trusts or Kerberos constrained delegation need awareness of the device identity. Device writeback is configured in the Entra Connect wizard under “Optional features” and requires specific permissions on the AD forest. Once enabled, devices that undergo device management in Entra ID registration or join appear as registered devices in on-premises AD under a specified organizational unit. This bi-directional synchronization is essential for hybrid environments that rely on both cloud and on-premises device awareness.

What is the difference between MDM and MAM in the context of device management in Entra ID?

MDM (Mobile Device Management) provides full control over the device including settings, policies, compliance enforcement, and the ability to wipe the entire device. MAM (Mobile Application Management) focuses on managing applications and data at the app level without controlling the entire device, making it ideal for BYOD scenarios. In device management in Entra ID, MDM is typically used for corporate-owned Entra ID joined devices, while MAM can be applied to Entra ID registered devices to protect organizational data within managed apps without intruding on personal data. Microsoft Intune serves as both the MDM and MAM solution integrated with Entra ID. This dual capability is what makes device management in Entra ID suitable for a wide range of enterprise mobility scenarios.

How can I clean up stale devices in Microsoft Entra ID?

Stale device cleanup in Entra ID can be automated by configuring the device settings in the Entra admin center. Navigate to Devices > Device settings and set the “Maximum number of days a device can be inactive before it is considered stale and should be removed” to your desired value (e.g., 90 days). You can also use Microsoft Graph PowerShell cmdlets like Get-MgDevice and Remove-MgDevice to programmatically identify and remove stale devices. For advanced automation scenarios within your device management in Entra ID framework, you can integrate with Okta workflows and automations to trigger device cleanup processes across hybrid identity environments. Additionally, setting up an Azure Automation account with a scheduled PowerShell runbook can regularly clean up devices that haven’t been active within the specified threshold.

What happens to device access when a device is disabled or deleted in Entra ID?

When a device is disabled in Entra ID, it can no longer authenticate or satisfy device-based conditional access policies. The Primary Refresh Token (PRT) becomes invalid, and any access tokens obtained using the device identity are revoked within minutes due to continuous access evaluation (CAE). When a device is deleted, all device identity information is permanently removed, and the device must be re-registered or re-joined to regain access to Entra ID-secured resources. For hybrid joined devices, deleting the device in Entra ID does not automatically delete it from on-premises AD unless device writeback synchronization is configured bidirectionally. This is a critical consideration in device management in Entra ID—always coordinate device deletion between cloud and on-premises directories to avoid orphaned device objects.

How do I configure device-based conditional access policies in Entra ID?

To configure device-based conditional access policies: (1) Navigate to Entra admin center > Protection > Conditional Access > Policies > New policy. (2) Under Assignments, select users and groups. (3) Under Cloud apps, choose the applications to protect (e.g., all cloud apps, Office 365, specific SaaS apps). (4) Under Conditions > Device platforms, select the target platforms (Windows, iOS, Android, macOS). (5) Under Grant, choose “Require device to be marked as compliant” and/or “Require hybrid Entra ID joined device” depending on your scenario. (6) Optionally combine with “Require all the selected controls” for stricter enforcement. (7) Set the policy to Report-only mode initially and monitor the impact using the Conditional Access insights and reporting workbook. (8) After validation, enable the policy. For understanding the authentication protocols that carry device claims, refer to our OAuth 2.0 and OpenID Connect deep dive. Properly configured device-based Conditional Access is the ultimate expression of effective device management in Entra ID.

11. Best Practices for Device Management in Entra ID

To wrap up this comprehensive guide, here are the top best practices distilled from years of real-world experience with device management in Entra ID across organizations of all sizes. Implementing these recommendations will help you build a resilient, secure, and scalable device identity foundation.

  1. Adopt a Cloud-Native Strategy Where Possible: For new device deployments, prioritize Entra ID join over hybrid join. Cloud-native device management in Entra ID is simpler, more secure, and aligns with Microsoft’s long-term roadmap. Hybrid join should be reserved for scenarios where on-premises dependencies (like legacy LOB apps or network access control) are unavoidable.
  2. Enable Automatic MDM Enrollment: Ensure every Entra ID joined or registered device is automatically enrolled in Microsoft Intune. Without MDM enrollment, you lose compliance enforcement, configuration management, and the ability to remotely wipe lost devices. This is non-negotiable for serious device management in Entra ID.
  3. Implement Tiered Conditional Access Policies: Create separate Conditional Access policies for different sensitivity levels. For example, require compliant device for access to all Office 365 apps, but require both compliant device AND MFA for access to financial systems or HR platforms.
  4. Regularly Audit Device Inventory: Schedule monthly reviews of the device list in the Entra admin center. Look for anomalies—devices with duplicate names, unexpected join types, or devices registered by departed employees. Clean up promptly to maintain the integrity of your device management in Entra ID.
  5. Configure Stale Device Cleanup: Set the stale device threshold to 90 days (or lower for high-security environments). This prevents device object bloat and reduces the risk of stale devices being exploited.
  6. Use Filter for Devices in Conditional Access: Instead of broad policies, use the “Filter for devices” condition to target specific device attributes (like specific device names, OS versions, or custom extension attributes). This enables granular device management in Entra ID scenarios.
  7. Educate End Users: Provide clear documentation on how to register personal devices, what to expect during the Entra ID join process, and how to check device compliance status. An informed user base reduces helpdesk tickets and improves the overall device management in Entra ID experience.
  8. Monitor Sign-In Logs Proactively: Set up Azure Monitor alerts for device-related sign-in failures. Specifically, alert on Conditional Access blocks related to device compliance or join status. Early detection of issues is key to proactive device management in Entra ID.
  9. Leverage Windows Hello for Business: For Entra ID joined and hybrid joined devices, enable Windows Hello for Business. It replaces passwords with strong, TPM-backed biometric or PIN authentication, dramatically reducing the risk of credential theft. This is a powerful complement to your device management in Entra ID security posture.
  10. Stay Current with Microsoft’s Device Management Roadmap: Microsoft continuously enhances device management in Entra ID capabilities. Features like device-bound passkeys (FIDO2), platform SSO for macOS, and expanded Linux support are constantly evolving. Follow the Cloud Knowledge website and our YouTube channel for the latest updates, tutorials, and deep dives on these topics.
🏆 Gold Standard: The most mature device management in Entra ID implementations combine all of the above—cloud-native join, automatic MDM enrollment, tiered Conditional Access, stale device cleanup, proactive monitoring, and Windows Hello for Business—into a cohesive, automated device lifecycle management framework. Aim for this gold standard to achieve the highest levels of both security and user productivity.

12. Conclusion: Mastering Device Management in Entra ID

Device management in Entra ID is no longer an optional add-on—it is a fundamental pillar of enterprise identity security. As the workforce becomes increasingly mobile, distributed, and reliant on diverse endpoints, the ability to establish and enforce device trust at the identity layer is paramount. Throughout this 30,000+ word guide, we have explored every critical aspect of device management in Entra ID, from the foundational device identity types to advanced troubleshooting techniques and best practices.

We’ve learned that Entra ID joined devices represent the cloud-native gold standard, Entra ID registered devices elegantly solve the BYOD challenge through app-level protection, and hybrid Entra ID joined devices provide a bridge for organizations still anchored to on-premises Active Directory. We’ve demystified the Primary Refresh Token (PRT), walked through the device registration flow step by step, and armed you with the dsregcmd commands and diagnostic techniques needed to troubleshoot even the most stubborn device issues.

The 10 FAQs we’ve answered address the most pressing questions that IT administrators face daily in their device management in Entra ID journeys. Whether you’re dealing with device registration failures, configuring Conditional Access, cleaning up stale devices, or understanding the nuances of MDM versus MAM, you now have a comprehensive reference to turn to. For further reading, don’t miss our related deep dives on Okta SSO with Salesforce, SAML tracer techniques, identity automation with Okta workflows, and the OAuth 2.0 / OIDC protocol guide—all of which complement your understanding of modern identity and device management.

Remember that device management in Entra ID is not a set-it-and-forget-it endeavor. It requires ongoing attention—regular audits, policy refinements, monitoring, and adaptation as Microsoft releases new features and as your organization’s needs evolve. The investment you make today in building a robust device identity foundation will pay dividends in security, compliance, and user experience for years to come.

Thank you for investing your time in this comprehensive guide. We at Cloud Knowledge are committed to providing the most detailed, accurate, and practical identity and access management content available. Connect with us across our platforms to stay updated:

Also check out our popular Okta SSO Setup with Salesforce on Tumblr and the Okta Authentication Policies Complete Guide on Medium for complementary identity management insights.

Cloud Knowledge Author
Cloud Knowledge

Your trusted source for in-depth identity and access management tutorials, cloud security guides, and enterprise IT best practices. Specializing in Microsoft Entra ID, Okta, SAML, OAuth, and device management. Follow us for the latest insights across all major platforms.

🏷️ Tags:

device management in Entra ID, Entra ID joined device, Entra ID registered device, hybrid Entra ID join, Microsoft Entra device management, Azure AD device identity, Primary Refresh Token, PRT troubleshooting, device compliance policy, conditional access device filter, Intune MDM enrollment, MAM vs MDM, device writeback Entra Connect, stale device cleanup, dsregcmd status, device registration service, CloudAP authentication, Windows Hello for Business, TPM device identity, BYOD management, corporate device management, endpoint security, device-based conditional access, device lifecycle management, Entra admin center devices, Microsoft Graph device cmdlets, device certificate Entra ID, Kerberos cloud trust, device authentication troubleshooting, modern device management