Hybrid Join vs Azure AD Join and MDM Enrollment. What are the possible device journeys under each scenario?

The main reason for this field notes entry is the amount of confusion I see here, amongst colleagues, but also amongst customers. First, I point you to the Microsoft documentation. I also borrowed a nice diagram from MS Docs:

What is a hybrid Azure AD joined device?

What is an Azure AD joined device?

What is Microsoft Intune device enrollment - Microsoft Intune

A hybrid join device starts as a domain joined device in an on premises active directory. It’s then synchronized to an Azure Active Directory via Azure AD Connect (Device Registration).

That journey can begin as a manual domain join, an on prem “imaged” device via an MDT/SCCM Task Sequence, Sysprepped Image, etc. Or it can come in via a Hybrid Autopilot. The end result is a Hybrid Joined Device (Joined to On premises Active Directory, and Azure AD via Azure AD Connect Device Sync).

An Azure Joined Device start its journey into an Azure Active Directory via a manual AzureAD join, Autopilot (cloud only) and Bulk Registration(Provisioning Packages).

An Intune Enrolled Device is usually downstream from a join (Hybrid Join, or Azure. You can join the Intune MDM Service downstream, as part of your directory join during Hybrid Join, and Azure Join( Via various autoenrollment methods, autopilot, etc.). There is also the option of MDM Only Option, where it exclusively enrolls into the MDM service (manually), without a directory join.

It’s important to understand the different scenarios due to the sprawling nature of customer environments. Most environments will be a mixture of the above scenarios. Many are still imaging devices via MDT and Configuration Manager(with a domain join as part of that process). Azure AD Connect is also running in that environment (with device registration/hybrid join enabled). Further from there you have automatic MDM enrollment that can happen via automatic enrollment GPO (or via the SCCM Client in a co-managed environment).

Many are also beginning to incorporate Autopilot into their environments. This can bring devices in via both Hybrid Azure AD Join with Intune MDM Enrollment, and Azure AD Join Only (with Intune MDM Enrollment).

Understanding the many paths an endpoint has into the environment will assist you when troubleshooting customer scenarios.

Until next time.