How to manage devices in azure ad and intune

The identity-to-control pipeline that actually matters

If you have ever stared at a “compliant” device that still cannot access Microsoft 365, or an “azure ad joined” laptop that refuses to enroll into intune, you have already learned the uncomfortable truth: device management in microsoft entra id (formerly azure ad) and microsoft intune is not a single feature. It is a pipeline.

At a high level, the pipeline is simple:

1. create a device identity in entra id (registered, joined, or hybrid joined)
2. enroll the device into intune (mdm) so you can push policies, apps, and compliance
3. use conditional access to make access decisions based on that identity + compliance state

That is the “google overview” version. It is also incomplete.

The real system is a chain of trust that links hardware, boot integrity, local authority, cloud identity, enrollment tokens, certificates, compliance signals, and access decisions. If any link is weak, you get drift, bypass, or outages—usually all three.

This article is a comparison-style, long-form guide that goes beyond surface tutorials. It will help you reason from first principles, choose the right join/enrollment model, and run your tenant like an engineer instead of a click-ops operator.

External references you will see throughout are primarily microsoft’s own documentation for device identities and enrollment, plus a few practitioner threads where admins discuss what breaks in the real world.

---

the surface view: “entra for identity, intune for management” — and why it’s not enough

The common explanation is correct but shallow:

• entra id is where the device becomes a first-class identity (like a user).
• intune is where the device gets managed (configuration, security, apps).
• conditional access uses both to gate access.

Microsoft’s own device identity docs reflect this framing: you plan device identity types (registered/joined/hybrid), configure join, then manage device objects and their lifecycle.
Intune’s enrollment guidance similarly focuses on picking the enrollment path (automatic enrollment, autopilot, group policy, co-management, byod).

Why this is incomplete: identity and management are coupled, but not identical.

• A device can exist in entra without being enrolled in intune (identity without control).
• A device can be enrolled in intune but mis-scoped in entra conditional access (control without usable access).
• A device can be “managed” but not trustworthy (control without integrity).
• A device can be trustworthy but not “compliant” in the way conditional access expects (integrity without the right signals).

To manage devices well, you must internalize what the system is optimizing for:

the system is trying to ensure that only devices that can prove who they are, and can prove they meet policy, can access resources.

That proof is implemented through join state, tokens, certificates, enrollment authority, and compliance evaluation timing.

---

What device management is

Forget portals for a moment. Managing devices in entra id and intune rests on a few hard truths.

1) a device is a security principal, not a checkbox

When a device is registered or joined, it becomes an object that can be referenced by policy. In entra, that identity is what conditional access can evaluate (device filters, device state, hybrid status, etc.).

If your environment treats device objects as “inventory records,” you will accumulate stale trust. Microsoft explicitly calls out stale devices as an operational and security problem and provides guidance to manage them.

2) enrollment is the control plane

Enrollment is how the device gets:

• an mdm relationship
• management certificates/keys
• a channel for policies, scripts, apps, and remediation
• compliance evaluation

Intune’s enrollment guidance makes this explicit by describing enrollment as the entry point for management and recommending different methods per scenario.

3) compliance is a signal, not a fact

“Compliant” does not mean “secure.” It means “meets the checks you defined, as last evaluated, under the reporting limits of the platform.”

Microsoft’s conditional access + compliance guidance is clear: conditional access can require a device to be marked compliant, but compliance is something intune evaluates and then passes as a signal for access decisions.

This distinction matters when timing is involved (fresh enrollments, autopilot phases, devices that haven’t checked in).

4) conditional access is the enforcement point

Without conditional access, compliance is mostly a dashboard metric.

With it, you get a closed loop:

• identity establishes who the device is
• intune declares whether it meets policy
• conditional access decides whether access is granted

That’s why most “secure-by-default” modern endpoint strategies treat conditional access as the gatekeeper, not a nice-to-have.

---

the join/enrollment models: compare by trust boundary, not by marketing labels

Most teams pick “azure ad joined” because it sounds modern, or “hybrid” because they fear legacy apps. A better way is to compare what each model gives you in terms of trust boundary and operational friction.

microsoft entra registered (common for byod)

What it is: a personal device is “registered” to a user in entra, typically to enable access and basic device signals.

Strengths

• fast user onboarding for byod
• works well with app-level controls (mam) when you do not want full device control

Tradeoffs

• weaker guarantees about device authority (it’s not a full corporate join)
• compliance and deep controls are limited if you are not enrolling into mdm

Practical pattern
Use it when your priority is protecting data inside apps (mam) rather than controlling the entire device. This is where many orgs lean on “app protection policies” and containerization approaches.

microsoft entra joined (modern corporate baseline)

What it is: the device is joined directly to entra, enabling cloud-native sign-in and strong integration with intune.

Strengths

• clean identity chain for cloud services
• ideal for autopilot provisioning and standard intune management
• reduces dependency on on-prem join plumbing

Tradeoffs

• legacy, domain-bound workflows need alternatives (or a redesign)
• some orgs over-rotate into “join” without fixing local admin and privilege design

This is the model most org-owned windows devices should converge to unless you have a strong reason otherwise.

microsoft entra hybrid joined (legacy bridge)

What it is: the device remains joined to on-prem ad but is also registered/joined into entra for cloud identity.

Strengths

• works with classic domain requirements
• can coexist while you migrate identity and management

Tradeoffs

• more moving parts (connect sync, device writeback dependencies, timing)
• more failure modes (especially with provisioning)

Microsoft’s own autopilot guidance now explicitly states that deploying new devices as entra hybrid joined (including via autopilot) is not recommended.
That does not mean “never,” but it means you should treat it as a transitional model, not a target state.

Practitioners echo this: hybrid join often creates provisioning complexity and odd timing issues, especially at scale and with remote-first devices.

---

autopilot is not “enrollment”; it is provisioning orchestration

Windows autopilot is where these worlds collide: identity creation, enrollment, app delivery, and policy enforcement during first boot.

Two important realities, supported by microsoft updates and community discussions:

1. autopilot is evolving quickly (new capabilities appear regularly). Microsoft tracks changes publicly.
2. autopilot “v2” concepts are not just rebranding—device preparation introduces different mechanics and reporting flows than classic autopilot. Microsoft has published deep dives for admins. (TECHCOMMUNITY.MICROSOFT.COM)

In community threads, admins often describe “sticking with classic autopilot until device preparation matures,” which is a rational engineering posture: let new orchestration stabilize before betting your provisioning pipeline on it. (Reddit)

---

End-to-end implementation playbook (with real failure modes)

This section is intentionally technical and operational. It is designed to be the part you bookmark and reuse in runbooks.

a. design your device identity and enrollment policy like an access control system

Goal: every access decision should reduce to: who is the user, what is the device, does it meet policy, is the session risky.

Start with three tenant-level decisions:

1. what join types are allowed and for whom

• Decide where entra joined is mandatory (org-owned endpoints).
• Decide where registered is acceptable (byod/mobile).
• Decide whether hybrid joined is transitional, and set a target sunset date.

Microsoft’s device identity planning content provides the conceptual framework for registered vs joined vs hybrid joined.

2. what enrollment methods you will support
   Intune’s windows enrollment guide lays out the main paths:

• automatic enrollment
• windows autopilot
• byod user enrollment
• group policy enrollment (common in hybrid)
• co-management (configmgr + intune)

Pick as few as possible. Every additional enrollment path is another set of edge cases.

3. what “compliant” will mean
   Define compliance policies as enforcement inputs, not as documentation.
   Then connect them to conditional access so they matter. Microsoft documents this coupling explicitly.

Core principle: compliance without conditional access is advisory; conditional access without good compliance is brittle.

---

b. implement entra join + automatic mdm enrollment (cloud-native corporate baseline)

This is the cleanest baseline for new windows devices.

1) set up automatic mdm enrollment
Configure intune automatic enrollment so that when a device is joined to entra by a scoped user group, it enrolls into mdm.

Use the official enrollment guidance to validate the supported flow and prerequisites for windows.

2) validate on a test device using dsregcmd
On windows, dsregcmd /status is your truth serum.

You are looking for signals like:

• device is joined (entra joined = yes)
• azure ad prt is present
• mdm url is populated
• mdm enrollment state reflects success

If entra join is “yes” but mdm is missing, you likely have one of:

• mdm user scope misconfigured
• licensing/scoping issue
• conditional access blocking enrollment endpoints
• autopilot profile vs enrollment profile mismatch

This is where many deployments fail quietly: the portal shows a device identity, but intune never gets a control channel.

3) enforce baseline security via configuration + endpoint security
Do not start with “100 policies.” Start with controls that change the attack surface meaningfully:

• disk encryption (bitlocker)
• credential hygiene (windows hello for business strategy)
• tamper protection / defender baselines
• local admin control and privileged access workflows

Then build upward.

4) wire compliance into conditional access
Use conditional access to require:

• compliant device (for corporate apps)
• phishing-resistant auth for admins
• user risk or sign-in risk controls where applicable

Microsoft documents the canonical pattern: intune compliance policies feed entra conditional access decisions.

A practical tip from the field: phase it.
Start with report-only mode, exclude break-glass accounts, and roll out by pilot rings. Many admins discuss “mandatory conditional access policies” as a maturity journey, not a one-shot change.

---

c. autopilot implementation that avoids the most common outages

First: choose your autopilot model intentionally.

• If you are provisioning new devices, prefer entra joined autopilot over hybrid.
• Microsoft explicitly discourages using autopilot to deploy new hybrid joined devices as a default approach.

Second: treat the enrollment status page as a dependency graph, not a checklist.

The enrollment status page (esp) is where many orgs accidentally create “provisioning deadlocks” by blocking on heavy apps, flaky installers, or network-dependent agents.

Microsoft’s own framework for selecting required apps is still relevant: only block on apps that are required for security or initial access (vpn, edr, etc.).

A recurring failure mode: autopilot fails “during app installation” even when admins believe they configured no blocking apps—often because assignments, dependencies, or esp settings don’t match what they think they deployed. You can see this exact confusion in autopilot troubleshooting threads.

Third: understand the difference between classic autopilot and device preparation

Microsoft’s “device preparation” content emphasizes different troubleshooting approaches and monitoring, and it explicitly notes behavioral differences (for example, esp applicability differences).

Admins discussing autopilot v2 often land on a conservative posture: test device preparation policies, but keep classic autopilot for production until you are confident.

Fourth: watch what autopilot is changing, because it impacts your “blocking apps” logic
Microsoft’s “what’s new” notes include changes like supporting enterprise app catalog apps as blocking apps during esp in newer intune releases. This can materially change how you design provisioning gates.

---

d. hybrid join and why it breaks at the worst times

If you must run hybrid joined endpoints, treat it like running a distributed system with legacy coupling.

Microsoft’s own docs highlight the requirements and moving parts for hybrid autopilot scenarios, and they again caution against using it as the default for new deployments.

Common operational issues include:

• line-of-sight requirements (intranet + internet timing)
• connector dependencies
• domain join latency affecting mdm enrollment timing

Community analysis explains why hybrid join is often “fine” until you scale remote provisioning or introduce stricter access controls, then the edge cases explode.

If your organization is still heavily domain-bound, a safer transitional posture is often:

• keep existing devices hybrid joined
• provision new devices entra joined
• use co-management where configmgr investments are deep
• modernize app delivery and identity boundaries gradually

This reduces the number of net-new hybrid devices you are creating.

---

e. device lifecycle management: stale devices are stale trust

Large tenants fail in boring ways: cluttered inventory, duplicate devices, zombie trust.

Microsoft provides specific guidance on stale devices and why they are harmful (duplicate records, support confusion, sync overhead, and risk).

1) understand the difference between intune cleanup and entra cleanup

Intune’s device cleanup rules primarily hide inactive devices in intune so reports and views stay sane.
They do not automatically remove the corresponding entra device identity.

This distinction is frequently misunderstood, and newer writeups emphasize it explicitly: cleanup rules are “console hygiene,” not identity governance. (Endpoint Ninja)

2) build an entra lifecycle process (disable → delete) with evidence

A mature approach uses:

• last sign-in / activity properties (for entra objects)
• last check-in (for intune objects)
• ownership signals (autopilot, corporate identifiers)
• exceptions for shared/kiosk devices

Many orgs automate this with graph + powershell, because manual cleanup does not scale. Practitioner guides show this direction (automated stale-device cleanup via graph).

If you want reporting and workflow around stale devices (dashboards, approvals, exports), ManageEngine tools like M365 Manager Plus often publish practical operational guides and can complement native portals—especially for audit-ready reporting and delegated operations. (ManageEngine)
For broader endpoint operations (patching, software inventory, unified endpoint management across heterogeneous fleets), it is also worth reviewing ManageEngine’s endpoint management content and product docs rather than trying to force intune into every last use case.

---

advanced concepts that separate “working” from “resilient”

Most environments can make device management “work.” Fewer make it resilient under change.

1) treat policy as code (even if you stay in the portal)

If your policies exist only as clicks, you cannot diff, review, or roll back reliably.
Even if you do not go fully infra-as-code, you can still adopt the mindset:

• define a baseline
• create rings
• document blast radius
• keep a change log

This alone reduces outages during conditional access hardening.

2) manage local admin like it is a production incident

The biggest practical security gap on windows endpoints remains local privilege.
Your join choice does not fix that.
Build a clear model:

• who can elevate
• how elevation is logged
• how the device proves it is in a trusted state before elevation

3) measure compliance latency, not just compliance

Ask: how quickly does a new device become compliant after enrollment?
Provisioning decisions (esp blocking, app size, update policies) affect that latency.
Conditional access enforcement without understanding latency creates day-one friction.

4) design for break-glass, always

Every tenant needs:

• break-glass accounts excluded from strict ca
• tested recovery procedures
• staged rollout methodology

This is not optional; it is how you avoid self-inflicted lockouts