πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 1
Domain 1 β€” Module 1 of 7 14%
1 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 1: Prepare Infrastructure for Devices Free ⏱ ~12 min read

Device Identity: Join, Register & Hybrid

Every device needs an identity in your cloud directory before you can manage it. Learn the three ways devices connect to Microsoft Entra ID β€” and when to use each one.

How do devices get an identity?

β˜• Simple explanation

Think of Microsoft Entra ID as the building’s reception desk.

Before anyone can use the lifts, meeting rooms, or printers, they need a badge. Devices work the same way β€” they need an β€œidentity badge” in your cloud directory before Intune can manage them.

There are three ways to get that badge:

  • Entra Joined β€” the device lives in the cloud full-time (like a permanent employee badge)
  • Entra Registered β€” the device just checks in occasionally (like a visitor pass for personal devices)
  • Hybrid Joined β€” the device has badges for both on-prem Active Directory AND the cloud (like an employee who works in two offices)

Microsoft Entra ID is the cloud-based identity and access management service that underpins Microsoft 365 and Intune. Before a device can receive policies, apps, or compliance checks from Intune, it must have a device object in Entra ID.

Three join types create this device object:

  • Microsoft Entra Joined β€” cloud-native devices with no on-premises AD dependency. Users sign in with Entra credentials. Full device management via Intune.
  • Microsoft Entra Registered β€” personal (BYOD) devices where the user adds a work account. The device isn’t β€œowned” by the organisation. Lighter management via app protection policies.
  • Microsoft Entra Hybrid Joined β€” devices joined to both on-premises AD and Entra ID. Common during cloud migration when on-prem AD is still needed for legacy apps and GPOs.

The three join types

Sam Chen at Tui Solutions is migrating 500 devices from on-prem Active Directory to cloud-native management. His fleet includes corporate Windows laptops, shared tablets in the warehouse, and employees who occasionally use personal phones. Each device type needs a different approach.

FeatureEntra JoinedEntra RegisteredHybrid Joined
Device ownershipCorporate-ownedPersonal (BYOD)Corporate-owned
Signed in withEntra ID accountPersonal account + work account addedOn-prem AD account synced to Entra
On-prem AD required?NoNoYes
Supported OSWindows 10/11, Windows Server 2019+Windows, iOS, Android, macOSWindows 10/11, Windows Server
Full device managementYes (Intune)No (app-level only)Yes (Intune + GPO)
Conditional Access supportFullLimitedFull
SSO to cloud resourcesYesYes (for added account)Yes
SSO to on-prem resourcesVia cloud trust or KerberosNoYes (native AD)
Best forNew cloud-first deploymentsBYOD / personal devicesMigration from on-prem AD

When to use which join type

Here’s Sam’s decision process for Tui Solutions:

New corporate laptops (ordered fresh, no existing AD relationship) β†’ Entra Joined β€” these go straight to the cloud. No reason to touch on-prem AD.

Existing corporate laptops (currently domain-joined to on-prem AD) β†’ Hybrid Joined β€” Sam can’t rip out on-prem AD overnight. Legacy apps still need Kerberos authentication. Hybrid join lets devices talk to both directories during migration.

Personal phones and tablets (employees checking email on their own devices) β†’ Entra Registered β€” Sam doesn’t own these devices. Registration lets users access work apps while app protection policies keep corporate data safe.

πŸ’‘ Exam tip: the migration path

The exam loves to test when hybrid join makes sense vs pure Entra join. The key deciding factor is: does the organisation still rely on on-premises Active Directory for authentication or Group Policy?

  • If yes β†’ Hybrid Join (transitional)
  • If no (or starting fresh) β†’ Entra Joined (target state)
  • Personal devices β†’ always Entra Registered

Microsoft’s recommended end state is Entra Joined (cloud-native). Hybrid join is the bridge, not the destination.

How to join a device to Entra ID

Entra Join (corporate devices)

There are several ways to Entra-join a device:

  1. Windows OOBE (Out-of-Box Experience) β€” during first setup, user selects β€œSet up for an organisation” and signs in with Entra credentials
  2. Windows Settings β€” Settings β†’ Accounts β†’ Access work or school β†’ Connect β†’ Join this device to Microsoft Entra ID
  3. Windows Autopilot β€” fully automated join during device provisioning (covered in Module 8)
  4. Bulk enrollment β€” using a provisioning package for kiosk/shared devices

Entra Registration (personal devices)

  1. Windows Settings β€” Settings β†’ Accounts β†’ Access work or school β†’ Connect (without selecting β€œJoin”)
  2. Company Portal app β€” on iOS/Android, install Company Portal and sign in
  3. Microsoft Authenticator β€” on mobile devices, add a work account

Hybrid Join

  1. Entra Connect Sync β€” configure device writeback in Entra Connect
  2. Devices join on-prem AD normally β†’ Entra Connect syncs the device object to Entra ID
  3. Requires Entra Connect (or Cloud Sync) with device sync enabled
ℹ️ Deep dive: Entra Connect vs Cloud Sync for hybrid join

For hybrid join, devices must be synced from on-prem AD to Entra ID:

  • Entra Connect Sync β€” the original sync tool. Supports device writeback and hybrid join configuration. Requires an on-prem server.
  • Entra Cloud Sync β€” lighter weight, agent-based. Supports hybrid join as of recent updates. Easier to set up for multi-forest environments.

Both achieve the same result: creating a device object in Entra ID that mirrors the on-prem AD computer object. The exam may ask about prerequisites β€” both require the device to have line-of-sight to a domain controller and internet access to reach Entra endpoints.

Real-world scenario: Sam’s migration plan

Sam’s approach at Tui Solutions (500 devices):

PhaseActionJoin Type
NowNew laptops ship as Entra Joined via AutopilotEntra Joined
NowExisting laptops get Hybrid Joined via Entra ConnectHybrid Joined
NowEmployee personal phones registered via Company PortalEntra Registered
6 monthsMigrate legacy apps off Kerberos β†’ modern authβ€”
12 monthsConvert hybrid devices to Entra Joined (re-image or reset)Entra Joined
End stateAll corporate devices Entra Joined, BYOD registeredCloud-native

Key exam concept: Microsoft recommends moving toward cloud-native (Entra Joined) as the target state. Hybrid join is a transitional step for organisations that still depend on on-premises Active Directory.

🎬 Video walkthrough

🎬 Video coming soon

Device Identity: Join, Register & Hybrid β€” MD-102 Module 1

Device Identity: Join, Register & Hybrid β€” MD-102 Module 1

~12 min

Flashcards

Question

What are the three ways a device can have an identity in Microsoft Entra ID?

Click or press Enter to reveal answer

Answer

1. Entra Joined (corporate, cloud-native) 2. Entra Registered (personal/BYOD, lighter management) 3. Hybrid Joined (both on-prem AD and Entra ID, transitional during migration)

Click to flip back
Question

When should you use Hybrid Join instead of Entra Join?

Click or press Enter to reveal answer

Answer

When the organisation still relies on on-premises Active Directory for authentication (Kerberos) or Group Policy. Hybrid join is a transitional state β€” the target is cloud-native Entra Join.

Click to flip back
Question

What tool syncs on-prem AD device objects to Entra ID for hybrid join?

Click or press Enter to reveal answer

Answer

Microsoft Entra Connect Sync (or Entra Cloud Sync). Both create a mirrored device object in Entra ID from the on-prem AD computer account.

Click to flip back
Question

What's the key difference between Entra Joined and Entra Registered?

Click or press Enter to reveal answer

Answer

Entra Joined = corporate-owned device, full management via Intune, user signs in with Entra account. Entra Registered = personal device, app-level management only, user adds a work account alongside their personal account.

Click to flip back

Knowledge Check

Knowledge Check

Sam is setting up new laptops for Tui Solutions. The company has no on-premises Active Directory β€” everything is cloud-based. Which device join type should Sam use?
Knowledge Check

An employee at Tui Solutions wants to check work email on their personal iPhone. What's the appropriate Entra ID relationship for this device?
Knowledge Check

Chen Wei at Meridian Bank needs to manage 10,000 Windows devices that are currently joined to on-premises Active Directory. The bank still uses Kerberos authentication for several legacy financial applications. What join type should Chen Wei implement?

Next up: Build the Right Device Groups β€” organising your devices with dynamic membership, assigned groups, and filters.

Next β†’

Build the Right Device Groups

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.