Azure AD device registration enables a variety of Microsoft technologies, but because it often happens silently, most people are unaware of its existence or how it works. Microsoft has designed it to to be invisible, but there are a number things that can go wrong so that approach is counter-productive. This page provides a number of key details to fill this gap.

When does Azure AD device registration happen?

Azure AD device registration is possible for a wide variety of device platforms including Windows 10, iOS, Android, and MacOS.

Azure AD device registration happens in a number of scenarios, including:

Windows 10 Azure AD join
Most Office products (including Microsoft 365 Apps for Enterprise, Office 2016/2019, and Office ProPlus) on supported Windows platforms require the device to be Azure AD registered in order to allow sign in. Office products perform the registration silently, unknown to the user.
Windows 10 registration via the ‘Access Work or School’ Windows setting
Hybrid join

These triggers either do not tell the user that an Azure AD device registration is happening or under inform the user.

Benefits of Azure AD device registration

After a successful Azure AD device registration, the following benefits are present:

Enables use of an Azure AD refresh token. An Azure AD refresh token will eliminate the need to interactively enter your credentials each time you want to access an application that requires a new Azure AD access token.
- Office products on Windows require this, so a key benefit is the use of Office products on Windows from that device.
The device will be listed via https://myworkaccount.microsoft.com/device-list, and Bitlocker recovery keys (if enabled after registration) will be accessible to the user at that location.
Enables the possibility of cloud-based device management via a MDM provider like Intune
Azure AD Conditional Access device-based conditions are possible to be used
Enterprise State Roaming is enabled

What can go wrong?

User can disable their Azure AD device registration. This will mean they can’t sign in to Azure AD from that device. Users should NOT disable registered devices.
If the Azure AD device registration experience is interactive, the user may choose to have the device be managed. If you say yes, you are moving beyond a relatively impactless Azure AD device registration to mobile device management (MDM), which in the case of the UW Azure AD tenant is provided by Intune. So yes to that management prompt means Intune enrollment. If successful, that potentially means a set of policies and settings will be deployed to the device, including these settings. You can also fail, due to Intune device restrictions. If you fail, you’ll see an error message 80180014.
If performing the Windows 10 registration via the ‘Access Work or School’ Windows setting AND the user is in the MDM user scope BUT not in the MAM user scope AND does not meet the Intune enrollment restrictions, THEN the device registration will fail with an obscure error message80180014. This problem requires a lot more explanation, so read on …
Azure AD Device registration relies on a number of things which can be interfered with:
1. There is a certificate issued by the Azure AD Device Registration Service. If that certificate is deleted, the device registration is essentially deleted. Processes or people who are “cleaning up” can inadvertently break the device registration.
2. Device registrations come in user/computer pairings. Each user is allowed a maximum of 10 devices. When a user reaches their maximum, the oldest device registration is deleted, so the new device can be registered. If you use a lot of computers, this can result in an unusual experience when you go back to that device, including a sign in error that “Your organization has deleted this device.” The UW didn’t delete your device–you just reached the maximum and Microsoft deleted it on your behalf. This error happens because you still have a primary refresh token (PRT) on that device, but the PRT is no longer valid since the device isn’t valid anymore. If this doesn’t clear itself up on your next attempt to sign in, you can resolve this by manually deleting the PRT. See https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/authn/help/problems-and-solutions/#corrupt for how to do that.

MDM user scope

Azure AD has two mobility settings–MDM user scope and MAM user scope–which help to determine what kind of experience a given user has when initiating an Azure AD device registration.

MDM stands for mobile device management, a standard which enables cloud-based simple management of any device. The MDM user scope specifies which users should also experience an MDM enrollment immediately after the Azure AD device registration.

In the UW Azure AD, MDM is provided by Intune. So if a user is in the MDM user scope and they initiate an Azure AD device registration, the device will also be sent for Intune enrollment. If Intune enrollment fails, Microsoft automatically rolls back the prior Azure AD device registration, resulting in an error message to the user.

All users with a Microsoft 365 A3 license assigned are in the MDM user scope in the UW Azure AD. At a minimum, this includes students and employees.

MAM user scope

MAM stands for mobile application management, a proprietary solution for cloud-based simple management of client applications on a device. The MAM user scope specifies which users should have client applications subject to policies after the Azure AD device registration.

Any user which is both in the MDM user scope and the MAM user scope will not experience a roll back of the Azure AD device registration if Intune enrollment fails.

In the UW Azure AD, MAM is not used at this time, so there are no MAM policies.

At this time, only a few users are in the MAM user scope in the UW Azure AD. This is currently being used as a workaround for users who experience failed Azure AD device enrollment due to Intune enrollment failures which are not their fault.

Intune enrollment restrictions

Intune provides a mechanism to restrict enrollment of specific types and platforms of devices. UW Intune has several restrictions, which can result in failed Intune enrollment, which if the user is only in the MDM user scope, can lead to failed Azure AD device registration.

More details on the existing Intune device restrictions

The solution for all device registration failures is at https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/authn/help/problems-and-solutions/#devRegFail.