In this blog I will be discussing on difference between Azure AD Join vs Workplace Join (which is also called as Azure AD Registered). As per the registration of device to Azure, both terms can be confusing and you might be not having idea what we could achieve differently with these joining methods.
What is Azure AD Join?
With Azure AD join, Window 10 / Windows Server 2019 devices can join devices to Azure Active Directory. This is a solution for the organisations who wants to manage the devices through cloud based solution.
Azure AD join should not be confused with Domain Join systems for on-premises infrastructure. Devices joining Azure AD is actually joining organizations tenant.
Benefits of Azure AD join
Users can use seamless sign-on (SSO) to your on-premises and cloud resources, of course you need to have Hybrid Azure AD enabled to use Domain Join for GPO and Azure AD join for cloud based features.
Azure AD join devices can be fully managed using MDM (mobile device management) service such as Intune or through SCCM co-management. Through MDM you can control the devices such wipe, restart, software policies for application installation and software updates.
Through Intune, you can also control Windows AutoPilot deployment for your devices which can help provisioning the systems with customized OOBE and defining the policies for the devices.
What is Workplace Join / Azure AD Registered?
Workplace join or Azure AD registered is meant for BYOD (Bring your own Devices). The used case scenario could be a contractor having his / her own laptop / mobile phone and organization wants him to use the applications and resources related to Azure Active Directory such as Office 365, Microsoft Teams etc.
This way a user can configure emails from their home PC without getting joining the Azure AD join. Organizations can use Conditional Access Policy for the devices.
For mobile devices such as Android, iOS, MacOS, this is the only option available ie Azure AD registered.
Difference between Azure AD Registered and Azure AD Joined devices
|Azure AD Registered||Azure AD Joined|
|Personally owned devices||Corporate owned devices|
|Users can login with their own credentials. They can still access company resources as they are registered to Azure||Login with Organization account credentials.|
|All versions of Windows 10/11 is supported.||Not supported for Windows home|
|Device can be managed via: MDM & MAM. Usually, organization don’t use device management for personally owned devices||Device can be managed via MDM / Configuration Manager / co-management with Intune.|
|Personal data is secured, organization won’t be able to see your personal files. They can still wipe out work profile.||More control as compared to Azure AD registerd devices|
Verify device joining status on Azure Portal
Login to www.portal.azure.com. Navigate to Azure Active Directory and click on Devices. You will be able to see list of all devices with status showing under column Join Type.
Three different types of status we can see Azure AD registered, Hybrid Azure AD joined and Azure AD registered.
Login to Microsoft Endpoint Manager admin center portal. Navigate to Devices and then click on All Devices.
Click on one of the devices, under Overview, we can see options available such as Wipe, Autopilot Reset, Update Windows Defender security intelligence and others.
Same way, we have other options such as Discovered apps to see list of all applications installed.
We can check the hardware info, Device Compliance and other settings as well.