Skip to main content
Microsoft supports three ways to join a Windows device to an identity infrastructure. Understanding your join type is the first step in selecting the right TruU authentication modality. For a quick summary of which TruU modality applies to each join type, see TruU Windows Authenticator Modalities. For Microsoft’s full documentation on device identity, see What is a device identity? on Microsoft Learn.

Microsoft Device Join Types

The following table describes all three join types — what each means, how devices authenticate, how they are managed, and their access to on-premises and cloud resources.
FeatureActive Directory JoinedMicrosoft Entra Hybrid JoinedMicrosoft Entra Joined
What it meansDevice is joined to on-premises Active Directory. Sign-in requires an Active Directory account.Device is joined to on-premises Active Directory and its identity is registered/synced to Microsoft Entra ID. Sign-in uses an Active Directory account.Device is joined to Microsoft Entra ID (cloud only). Sign-in uses a Microsoft Entra account (or a synced account if applicable).
AuthenticationPassword: AD username and password. TruU: certificate-based authentication (CBA).Password: AD username and password. TruU: FIDO2 (recommended) or certificate-based authentication.Password: synced account username and password (if used). TruU: FIDO2 authenticator.
ManagementManaged via Group Policy Objects (GPOs) from on-premises Active Directory.Managed via Group Policy and/or Intune policies.Managed through Intune (or another MDM solution) with cloud-based policy enforcement.
On-premises resourcesFull, native access to internal resources (file shares, printers, intranet apps).Full access to on-premises resources via Kerberos — the device maintains an Active Directory trust.Limited or no native access. Typically requires VPN or proxy, plus Kerberos Key Trust or a connector, as configured.
Cloud resourcesNo Primary Refresh Token (PRT) from Microsoft Entra ID. Seamless SSO to Entra-protected resources is not available.Full access to Microsoft Entra-protected resources (Microsoft 365, Teams, OneDrive). PRT is issued at sign-in.Full, direct access to Microsoft Entra-protected resources (Microsoft 365, Teams, OneDrive). PRT is issued at sign-in.
Internet dependencyNone for authentication on the corporate network.Moderate — required for syncing with Microsoft Entra ID and receiving MDM policy updates.High — required for authentication and device compliance checks.
Ideal forOn-premises organizations with minimal cloud integration or strict internal control requirements.Hybrid environments transitioning to the cloud while maintaining on-premises infrastructure.Cloud-first or fully remote organizations using Microsoft Entra ID.
To check your device’s join type, run dsregcmd /status in PowerShell and inspect the AzureAdJoined and DomainJoined fields.