What is a device identity?

With the proliferation of devices of all shapes and sizes and the Bring Your Own Device (BYOD) concept, IT professionals are faced with two somewhat opposing goals:

  • Allow end users to be productive wherever and whenever
  • Protect the organization's assets

To protect these assets, IT staff need to first manage the device identities. IT staff can build on the device identity with tools like Microsoft Intune to ensure standards for security and compliance are met. Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and services from anywhere through these devices.

  • Your users get access to your organization's assets they need.
  • Your IT staff get the controls they need to secure your organization.

Device identity management is the foundation for device-based Conditional Access. With device-based Conditional Access policies, you can ensure that access to resources in your environment is only possible with managed devices.

Getting devices in Azure AD

To get a device in Azure AD, you have multiple options:

  • Azure AD registered
    • Devices that are Azure AD registered are typically personally owned or mobile devices, and are signed in with a personal Microsoft account or another local account.
      • Windows 10
      • iOS
      • Android
      • MacOS
  • Azure AD joined
    • Devices that are Azure AD joined are owned by an organization, and are signed in with an Azure AD account belonging to that organization. They exist only in the cloud.
  • Hybrid Azure AD joined
    • Devices that are hybrid Azure AD joined are owned by an organization, and are signed in with an Active Directory Domain Services account belonging to that organization. They exist in the cloud and on-premises.
      • Windows 7, 8.1, or 10
      • Windows Server 2008 or newer

Devices displayed in Azure AD Devices blade


A hybrid state refers to more than just the state of a device. For a hybrid state to be valid, a valid Azure AD user also is required.

Device management

Devices in Azure AD can be managed using Mobile Device Management (MDM) tools like Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy (hybrid Azure AD join), Mobile Application Management (MAM) tools, or other third-party tools.

Resource access

Registering and joining devices to Azure AD gives your users Seamless Sign-on (SSO) to cloud resources. This process also allows administrators the ability to apply Conditional Access policies to resources based on the device they are accessed from.


Device-based Conditional Access policies require either hybrid Azure AD joined devices or compliant Azure AD joined or Azure AD registered devices.

The primary refresh token (PRT) contains information about the device and is required for SSO. If you have a device-based Conditional Access policy set on an application, without the PRT, access is denied. Hybrid Conditional Access policies require a hybrid state device and a valid user who is signed in.

Devices that are Azure AD joined or hybrid Azure AD joined benefit from SSO to your organization's on-premises resources as well as cloud resources. More information can be found in the article, How SSO to on-premises resources works on Azure AD joined devices.

Device security

  • Azure AD registered devices utilize an account managed by the end user, this account is either a Microsoft account or another locally managed credential secured with one or more of the following.
    • Password
    • PIN
    • Pattern
    • Windows Hello
  • Azure AD joined or hybrid Azure AD joined devices utilize an organizational account in Azure AD secured with one or more of the following.
    • Password
    • Windows Hello for Business


Getting devices in to Azure AD can be done in a self-service manner or a controlled provisioning process by administrators.


With device identity management in Azure AD, you can:

  • Simplify the process of bringing and managing devices in Azure AD
  • Provide your users with an easy to use access to your organization's cloud-based resources

License requirements

Using this feature requires an Azure AD Premium P1 license. To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

Next steps