Entra ID Device Registration

Last updated: November 15, 2023
Audience: All UW

Entra ID device registration enables a variety of Microsoft technologies, but because it often happens silently, most people are unaware of its existence or how it works. Microsoft has designed it to to be invisible, but there are a number things that can go wrong so that approach is counter-productive. This page provides a number of key details to fill this gap.

When does Entra ID device registration happen?

Entra ID device registration is possible for a wide variety of device platforms including Windows 10, iOS, Android, and MacOS.

Entra ID device registration happens in a number of scenarios, including:

Unfortunately, these triggers either do not tell the user that an Entra ID device registration is happening or under inform the user.

Benefits of Entra ID device registration

After a successful Entra ID device registration, the following benefits are present:

  • Enables use of an Entra ID refresh token. An Entra ID refresh token will eliminate the need to interactively enter your credentials each time you want to access an application that requires a new Entra ID access token.
    • Office products on Windows require this, so a key benefit is the use of Office products on Windows from that device.
  • The device will be listed via https://myworkaccount.microsoft.com/device-list, and Bitlocker recovery keys (if enabled after registration) will be accessible to the user at that location.
  • Enables the possibility of cloud-based device management via a MDM provider like Intune
  • Entra ID Conditional Access device-based conditions are possible to be used
  • Enterprise State Roaming is enabled

What can go wrong?

  1. User can disable their Entra ID device registration. This will mean they can’t sign in to Entra ID from that device. Users should NOT disable registered devices.
  2. If the Entra ID device registration experience is interactive, the user may choose to have the device be managed. If you say yes, you are moving beyond a relatively impactless Entra ID device registration to mobile device management (MDM), which in the case of the UW Entra ID tenant is provided by Intune. So yes to that management prompt means Intune enrollment. If successful, that potentially means a set of policies and settings will be deployed to the device, including these settings. You can also fail, due to Intune device restrictions. If you fail, you’ll see an error message 80180014.
  3. If performing the Windows 10 registration via the ‘Access Work or School’ Windows setting AND the user is in the MDM user scope BUT not in the MAM user scope AND does not meet the Intune enrollment restrictions, THEN the device registration will fail with an obscure error message80180014. This problem requires a lot more explanation, so read on …
  4. Entra ID Device registration relies on a number of things which can be interfered with:
    1. There is a certificate issued by the Entra ID Device Registration Service. If that certificate is deleted, the device registration is essentially deleted. Processes or people who are “cleaning up” can inadvertently break the device registration.
    2. Device registrations come in user/computer pairings. Each user is allowed a maximum of 10 devices. When a user reaches their maximum, the oldest device registration is deleted, so the new device can be registered. If you use a lot of computers, this can result in an unusual experience when you go back to that device, including a sign in error that “Your organization has deleted this device.” The UW didn’t delete your device–you just reached the maximum and Microsoft deleted it on your behalf. This error happens because you still have a primary refresh token (PRT) on that device, but the PRT is no longer valid since the device isn’t valid anymore. If this doesn’t clear itself up on your next attempt to sign in, you can resolve this by manually deleting the PRT. See https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/authn/help/problems-and-solutions/#corrupt for how to do that.

MDM user scope

Entra ID has two mobility settings–MDM user scope and MAM user scope–which help to determine what kind of experience a given user has when initiating an Entra ID device registration.

MDM stands for mobile device management, a standard which enables cloud-based simple management of any device. The MDM user scope specifies which users should also experience an MDM enrollment immediately after the Entra ID device registration.

In the UW Entra ID , MDM is provided by Intune. So if a user is in the MDM user scope and they initiate an Entra ID device registration, the device will also be sent for Intune enrollment. If Intune enrollment fails, Microsoft automatically rolls back the prior Entra ID device registration, resulting in an error message to the user.

All users with a Microsoft 365 A3 license assigned are in the MDM user scope in the UW Entra ID . At a minimum, this includes students and employees.

MAM user scope

MAM stands for mobile application management, a proprietary solution for cloud-based simple management of client applications on a device. The MAM user scope specifies which users should have client applications subject to policies after the Entra ID device registration.

Any user which is both in the MDM user scope and the MAM user scope will not experience a roll back of the Entra ID device registration if Intune enrollment fails.

In the UW Entra ID , MAM is not used at this time, so there are no MAM policies.

At this time, only a few users are in the MAM user scope in the UW Entra ID . This is currently being used as a workaround for users who experience failed Entra ID device enrollment due to Intune enrollment failures which are not their fault.

Intune enrollment restrictions

Intune provides a mechanism to restrict enrollment of specific types and platforms of devices. UW Intune has several restrictions, which can result in failed Intune enrollment, which if the user is only in the MDM user scope, can lead to failed Entra ID device registration.

More details on the existing Intune device restrictions

The solution for all device registration failures is at https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/authn/help/problems-and-solutions/#devRegFail.