Device Registration & Licensing
Control which devices join your tenant, understand the three join types, and master licence assignment β including group-based licensing and conflict resolution.
Device identity β why devices need accounts too
Devices are like visitors to your building β you need to register them before they can get in.
There are three levels of registration:
- Registered β like a visitor badge. The device is known but not fully trusted. Think personal phones used for work email.
- Joined β like an employee ID card. The device is fully managed and trusted. Think company-owned laptops.
- Hybrid joined β the device has BOTH an on-prem AD identity AND an Entra ID identity. Think company laptops at organisations still running Active Directory.
The three device join types
| Feature | Entra Registered | Entra Joined | Hybrid Entra Joined |
|---|---|---|---|
| Ownership | Personal (BYOD) | Organisation-owned | Organisation-owned |
| OS support | Windows 10/11, iOS, Android, macOS, Linux | Windows 10/11, macOS 13+, Ubuntu 22.04/24.04, RHEL 8/9 | Windows 10/11 |
| On-prem AD required | |||
| Sign-in method | Local/personal account | Entra ID credentials | Domain credentials + Entra sync |
| Device management | Optional (MAM via Intune) | Full MDM (Intune) | Group Policy + Intune co-management |
| SSO to cloud resources | Yes (after auth) | Yes (primary refresh token) | Yes (primary refresh token) |
| CA support | Limited | Full (compliance, device type) | Full (compliance, device type) |
| Best for | Personal phones and tablets | Cloud-first organisations | Hybrid environments migrating to cloud |
How each join type works
Entra registered (BYOD):
- User goes to Settings β Accounts β Access work or school
- Adds their work account
- Device gets registered in Entra ID β user keeps personal device control
- Organisation can apply app-level policies (MAM) but not full device management
Entra joined (cloud-managed):
- During Windows OOBE (first setup) or Settings β join this device to Entra ID
- User signs in with Entra credentials
- Device is fully managed β organisation controls it via Intune
- User gets SSO to all cloud apps via Primary Refresh Token (PRT)
Hybrid Entra joined:
- Device is joined to on-premises Active Directory (as usual)
- Entra Connect syncs the device object to Entra ID
- Device has both an AD computer account AND an Entra device object
- Enables cloud features (CA, Intune co-management) for legacy domain-joined devices
Scenario: Jake vs Priya β different device strategies
Jake at Coastline Creative (35 people, no on-prem AD): All devices are Entra joined. Laptops are company-owned, fully managed by Intune. Freelancers use personal devices that are Entra registered β they get email access via Outlook mobile with app protection policies.
Priya at Meridian Health (5,000 employees, hybrid AD): Workstations in hospitals are Hybrid Entra joined β theyβre domain-joined for Group Policy but also synced to Entra for Conditional Access. Over time, new devices are being deployed as Entra joined only, skipping the on-prem AD step entirely. This is the cloud migration path.
Exam tip: device join decision logic
The exam often gives a scenario and asks which join type to use. Use this decision logic:
- Personal device (BYOD)? β Entra Registered (always)
- Corporate device, no on-prem AD? β Entra Joined
- Corporate device, existing on-prem AD? β Hybrid Entra Joined (migration) or Entra Joined (greenfield)
- Need full MDM management? β Entra Joined or Hybrid Entra Joined (Registered = MAM only)
- Conditional Access needs compliant device? β Must be Joined or Hybrid Joined (Registered has limited CA support)
- Question mentions βshared deviceβ or βkioskβ? β Entra Joined with shared device mode
Device settings in the Entra admin center
| Setting | What It Controls |
|---|---|
| Users may join devices to Entra ID | All, Selected users/groups, or None |
| Users may register their devices | All, Selected users/groups, or None |
| Maximum number of devices per user | Default: 50 (reduce for tighter control) |
| Require MFA to register or join devices | Additional auth step for device registration |
| Additional local administrators on Entra joined devices | Add specific users/groups as local admins |
Licensing β assign, modify, report
Direct vs group-based licensing
| Method | How It Works | Best For |
|---|---|---|
| Direct assignment | Manually assign licence to individual user | One-off assignments, exceptions |
| Group-based licensing | Assign licence to a group β all members get it automatically | Scalable, automated management |
Group-based licensing is the recommended approach:
- Create a security group (e.g., βM365 E5 Usersβ)
- Assign the M365 E5 licence to the group
- Add users to the group β they automatically receive the licence
- Remove users from the group β licence is automatically reclaimed
Exam tip: licence conflicts and errors
Group-based licensing can hit errors:
- Not enough licences β more group members than available licences. New members enter an error state.
- Conflicting service plans β a user is in two groups that assign licences with overlapping service plans that canβt coexist.
- Missing usage location β users without a usage location canβt receive licences.
- Missing dependencies β some service plans require other plans to be enabled first.
Check for errors: Entra admin center β Licences β select a product β check for users in error state. The exam tests your ability to identify and resolve these conflicts.
Reporting on licences
Where to check licence usage:
- Entra admin center β Licences β All products β see total/assigned/available per SKU
- Microsoft 365 admin center β Billing β Licences β similar view with purchase details
- Microsoft Graph API / PowerShell β programmatic access for reports and automation
# Report on licence assignments using Microsoft Graph PowerShell
Get-MgSubscribedSku | Select-Object SkuPartNumber, ConsumedUnits,
@{Name="Available"; Expression={$_.PrepaidUnits.Enabled - $_.ConsumedUnits}}Scenario: Jake optimises licensing at Coastline Creative
Jake discovers that 5 freelancers who left still have M365 Business Premium licences assigned. At $22/user/month, thatβs $110/month wasted.
He runs a PowerShell script to find users with licences but no sign-in activity in 90 days, removes the licences, and sets up a dynamic group so licences are automatically assigned based on employment status.
Lesson: Regular licence reporting saves money. Group-based licensing with dynamic groups prevents orphaned licences.
π¬ Video walkthrough
π¬ Video coming soon
Device Registration & Licensing β SC-300 Module 4
Device Registration & Licensing β SC-300 Module 4
~10 minFlashcards
Knowledge Check
Coastline Creative is a cloud-only organisation. Jake wants company laptops to be fully managed by Intune with SSO to all cloud apps. Freelancers should use their own devices but with app protection policies on Outlook. Which device strategy is correct?
Priya assigns an M365 E5 licence to a security group. A new nurse is added to the group but doesn't receive the licence. What's the most likely cause?
A Meridian Health hospital workstation is joined to the on-premises Active Directory and also has an identity in Entra ID via Entra Connect. Which device identity model is this?
Next up: External Identities: Guest Access & B2B β invite contractors, partners, and vendors to collaborate securely without creating internal accounts.