Entra ID device registration enables a variety of Microsoft technologies, but because it often happens silently, most people are unaware of its existence or how it works. Microsoft has designed it to to be invisible, but there are a number things that can go wrong so that approach is counter-productive. This page provides a number of key details to fill this gap.
When does Entra ID device registration happen?
Entra ID device registration is possible for a wide variety of device platforms including Windows 10, iOS, Android, and MacOS.
Entra ID device registration happens in a number of scenarios, including:
- Windows 10 Entra ID join
- Most Office products (including Microsoft 365 Apps for Enterprise, Office 2016/2019, and Office ProPlus) on supported Windows platforms require the device to be Entra ID registered in order to allow sign in. Office products perform the registration silently, unknown to the user.
- Windows 10 registration via the ‘Access Work or School’ Windows setting
- Hybrid join
Unfortunately, these triggers either do not tell the user that an Entra ID device registration is happening or under inform the user.
Benefits of Entra ID device registration
After a successful Entra ID device registration, the following benefits are present:
- Enables use of an Entra ID refresh token. An Entra ID refresh token will eliminate the need to interactively enter your credentials each time you want to access an application that requires a new Entra ID access token.
- Office products on Windows require this, so a key benefit is the use of Office products on Windows from that device.
- The device will be listed via https://myworkaccount.microsoft.com/device-list, and Bitlocker recovery keys (if enabled after registration) will be accessible to the user at that location.
- Enables the possibility of cloud-based device management via a MDM provider like Intune
- Entra ID Conditional Access device-based conditions are possible to be used
- Enterprise State Roaming is enabled
What can go wrong?
- User can disable their Entra ID device registration. This will mean they can’t sign in to Entra ID from that device. Users should NOT disable registered devices.
- If the Entra ID device registration experience is interactive, the user may choose to have the device be managed. If you say yes, you are moving beyond a relatively impactless Entra ID device registration to mobile device management (MDM), which in the case of the UW Entra ID tenant is provided by Intune. So yes to that management prompt means Intune enrollment. If successful, that potentially means a set of policies and settings will be deployed to the device, including these settings. You can also fail, due to Intune device restrictions. If you fail, you’ll see an error message 80180014.
- If performing the Windows 10 registration via the ‘Access Work or School’ Windows setting AND the user is in the MDM user scope BUT not in the MAM user scope AND does not meet the Intune enrollment restrictions, THEN the device registration will fail with an obscure error message80180014. This problem requires a lot more explanation, so read on …
- Entra ID Device registration relies on a number of things which can be interfered with:
- There is a certificate issued by the Entra ID Device Registration Service. If that certificate is deleted, the device registration is essentially deleted. Processes or people who are “cleaning up” can inadvertently break the device registration. To resolve, you can remove your device registration and re-add it. Removal works the same as documented at Windows 10 registration via the ‘Access Work or School’ Windows setting.
- The private key for the certificate issued by Entra ID Device Registration Service is typically stored in the TPM for a device. If your TPM needs to be replaced, things won’t work at all.
- To resolve, you can remove your device registration and re-add it. Removal works the same as documented at Windows 10 registration via the ‘Access Work or School’ Windows setting.
- Device registrations come in user/computer pairings. Each user is allowed a maximum of 10 devices. When a user reaches their maximum, the oldest device registration is deleted, so the new device can be registered. If you use a lot of computers, this can result in an unusual experience when you go back to that device, including a sign in error that “Your organization has deleted this device.” The UW didn’t delete your device–you just reached the maximum and Microsoft deleted it on your behalf. This error happens because you still have a primary refresh token (PRT) on that device, but the PRT is no longer valid since the device isn’t valid anymore. If this doesn’t clear itself up on your next attempt to sign in, you can resolve this by manually deleting the PRT. See https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/authn/help/problems-and-solutions/#corrupt for how to do that.
MDM user scope
Entra ID has two mobility settings–MDM user scope and MAM user scope–which help to determine what kind of experience a given user has when initiating an Entra ID device registration.
MDM stands for mobile device management, a standard which enables cloud-based simple management of any device. The MDM user scope specifies which users should also experience an MDM enrollment immediately after the Entra ID device registration.
In the UW Entra ID , MDM is provided by Intune. So if a user is in the MDM user scope and they initiate an Entra ID device registration, the device will also be sent for Intune enrollment. If Intune enrollment fails, Microsoft automatically rolls back the prior Entra ID device registration, resulting in an error message to the user.
All users with a Microsoft 365 A3 license assigned are in the MDM user scope in the UW Entra ID . At a minimum, this includes students and employees.
MAM user scope
MAM stands for mobile application management, a proprietary solution for cloud-based simple management of client applications on a device. The MAM user scope specifies which users should have client applications subject to policies after the Entra ID device registration.
Any user which is both in the MDM user scope and the MAM user scope will not experience a roll back of the Entra ID device registration if Intune enrollment fails.
In the UW Entra ID , MAM is not used at this time, so there are no MAM policies.
At this time, only a few users are in the MAM user scope in the UW Entra ID . This is currently being used as a workaround for users who experience failed Entra ID device enrollment due to Intune enrollment failures which are not their fault.
Intune enrollment restrictions
Intune provides a mechanism to restrict enrollment of specific types and platforms of devices. UW Intune has several restrictions, which can result in failed Intune enrollment, which if the user is only in the MDM user scope, can lead to failed Entra ID device registration.
More details on the existing Intune device restrictions
The solution for all device registration failures is at https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/authn/help/problems-and-solutions/#devRegFail.