How to manage device identities with Azure AD

When a device is registered with Azure AD, it gets a unique identifier known as a Device Identity. Administrators use this identity to gain insights into the device’s configuration, capabilities, and security posture, enabling access to necessary resources, applications, and data. Azure AD provides a centralized hub for identity control, allowing organizations to customize security measures based on a device’s identification, location, and risk level. Integration with Microsoft Endpoint Manager enables administrators to manage devices, deploy applications, and enforce compliance policies from a central location.

Types of device identities in Azure AD

	Azure AD registered	Azure AD joined	Hybrid Azure AD joined
Definition	Registered to Azure AD without requiring an organizational account to sign in to the device	Joined only to Azure AD requiring an organizational account to sign in to the device	Joined to on-premises AD and Azure AD, requiring an organizational account to sign in to the device
Primary audience	Bring your own device (BYOD) mobile devices	Suitable for both cloud-only and hybrid organizations	Suitable for hybrid organizations with existing on-premises AD infrastructure
Device Ownership	User or Organization	Organization	Organization
Key capabilities	Single-sign-on (SSO) to cloud resources Conditional Access when enrolled in Intune Conditional Access via App protection policy Enables Phone Sign in with Microsoft Authentication	SSO to both cloud and on-premises resources Conditional Access through Mobile device management  (MDM) enrolment and MDM compliance evaluation Self-service Password Reset and Windows Hello PIN reset on lock screen Enterprise state roaming	SSO to both cloud and on-premises resources Conditional Access through Mobile device management  (MDM) enrolment and MDM compliance evaluation Self-service Password Reset and Windows Hello PIN reset on lock screen Enterprise state roaming
When are these devices used?	To access corporate resources from personally owned mobile devices or home PCs	Transitioning to a cloud-based infrastructure Provides joining capabilities to workers in remote branch offices with limited on-premises infrastructure Access Microsoft 365 or other SaaS apps integrated with Azure AD	To continue to use Group Policy to manage device configuration To use existing imaging solutions to deploy and configure devices To support down-level Windows 7 and 8.1 devices in addition to Windows 10

How to manage device identities with Azure AD:

Pre-requisites:

You must be the device’s owner or have one of the following roles: cloud device administrator, global administrator, helpdesk administrator, Intune service administrator, security administrator, or security reader. 

1. To disable a device:

A user gets their access removed and will not be able to utilize any resources mandated by Azure AD device management. It revokes the Primary Refresh Token and any other refresh token present on the device.

1.  Login to the Azure Ad portal with global administrator permissions.

2. Identity → Devices → Overview → All devices  

1.1 For one or more devices

• Select the device(s) you want to disable by checking the box next to each device.

• On the toolbar, click on Disable. Click yes on the confirmation pop up window.

• You will see ‘No’ in the enabled column for the disabled device.

1.2 For a specific device

• Click on the device → Properties

• The tool bar will appear at the top of the page; click disable and yes on the confirmation pop up window.

2. To enable a device:

Follow the steps 1 and 2 listed above in section 1.

2.1 For one or more devices

• Select the device(s) you want to enable by checking the box next to each device.

• On the toolbar, click on Enable. Click yes on the confirmation pop up window.

• You will see ‘Yes’ in the enabled column for the enabled device.

2.2 For a specific device

• Click on the device → Properties

• The tool bar will appear at the top of the page; click Enable and yes on the confirmation pop up window.

3. To delete a device:

Note: This is not usually recommended as it is irreversible.

Follow the steps 1 and 2 listed above in section 1.

3.1 For one or more devices

• Select the device(s) you want to delete by checking the box next to each device.

• On the toolbar, click Delete. Click yes on the confirmation pop up window.

3.2 For a specific device

1. Click on the device → Properties

2. The tool bar will appear at the top of the page; click Delete and yes on the confirmation pop up window.

4. To obtain or copy a Device ID:

The Device ID acts as a unique identifier for each device. For several administrative operations, including device administration, auditing, and troubleshooting, it is required to view or copy a device ID.

1. All devices → Select Device → Properties

2. You can copy the Device ID and Object ID.

5. Manage BitLocker keys:

Encrypting and decrypting data on a Windows device’s hard drive or other storage media is done with a cryptographic key called a BitLocker key. It safeguards the security and integrity of data on Windows devices, particularly in situations where data confidentiality is critical, such as securing sensitive information on laptops or portable drives.

• All devices → Select Device → BitLocker keys (Preview)

• Select Show Recovery Key to generate an audit log entry.

 6. Download devices:

The download devices option allows global readers, cloud device administrators, Intune administrators, and global administrators to export a CSV file listing devices. Use filters like ‘Enabled state’ or ‘Join type’ to decide which devices to list.

Note: The export task will not run for more than one hour.

The exported list will include device identity attributes like: 

displayName,accountEnabled,operatingSystem,operatingSystemVersion,joinType (trustType),registeredOwners,userNames,mdmDisplayName,
isCompliant,registrationTime,approximateLastSignInDateTime,deviceId,isManaged,objectId,profileType,systemLabels,model

7. Configure device settings:

To manage device identities using Azure AD, the devices need to be registered or joined to Azure AD. You must either be a Global Administrator or a Cloud Device Administrator to control the process of registering or joining devices through the device settings:

• Users may register their devices with Azure AD: This is required for registering Windows 10 or newer, iOS, Android, and macOS devices with Azure AD. “None” restricts device registration, while “All” allows registration required for Microsoft Intune or MDM enrolment.

• Require multifactor authentication to register or join devices with Azure AD: Use “Register or join devices” in Conditional Access to enforce multifactor authentication with the “No” toggle selected. This ensures multifactor authentication during device registration or joining for all users. Note that this setting may not be compatible with third-party identity providers.

• Maximum number of devices: You can set a limit on how many devices a user can join or register using this parameter. Users will not be able to add additional devices after the limit is reached unless they first remove their current ones. 50 is the default, but you can set it to a maximum of 100, or you may choose ‘Unlimited’ to impose no device limit.

• Additional local administrators on Azure AD joined devices: This configuration allows you to choose which users have local admin privileges on a device. By default, device owners and global admins in Azure AD ID have local admin rights. This feature is available in premium editions such as Enterprise Mobility + Security and Azure AD ID P1 or P2.

• Enable Azure AD Local Administrator Password Solution (LAPS) (preview): LAPS is a password management system for local accounts on Windows devices. It allows for safe management and retrieval of built-in local admin passwords. LAPS can also be used to store and rotate local administrator passwords for Azure AD ID and Azure AD hybrid join devices via the cloud.

• Restrict non-admin users from recovering the BitLocker key(s) for their owned devices: Admins can prevent owners from accessing self-service BitLocker keys. Default users need the BitLocker read permission to access or copy their keys.

• Enterprise State Roaming: speeds up the process of configuring a new device and gives users a consistent experience across all of their Windows devices.

 8. Audit logs:

Audit logs provide insight into device activity, aiding monitoring, auditing, and troubleshooting.The default list view shows date, time, targets, initiator, and activity.

• Devices → Activity → Audit logs

All these features make Azure AD a reliable solution for organizations aiming to streamline security and manage device identities efficiently.