Device Join Modalities
The following table outlines how devices behave in each join type — including how they authenticate, how they are managed, and their access to cloud and on-premises resources.| Feature | AD Joined | Hybrid Joined | Entra ID Joined |
|---|---|---|---|
| Authentication | Uses Kerberos authentication exclusively within the on-premises environment. | Supports both Kerberos (for on-prem resources) and Microsoft Entra ID authentication (for cloud resources). | Uses Microsoft Entra ID authentication only, leveraging modern protocols like OAuth 2.0, OpenID Connect, and SAML. |
| Management | Fully managed via Group Policy Objects (GPOs) from on-premises Active Directory. | Managed by Group Policy for on-premises settings and Mobile Device Management (MDM) such as Intune for cloud policies. | Managed exclusively through Intune or another MDM solution, with policy enforcement from the cloud. |
| On-Prem Resources | Full and native access to internal resources such as file shares, printers, and intranet applications. | Full access to on-premises resources through Kerberos, as the device maintains a local AD trust. | Limited or no native access; access requires VPN, proxy, or conditional access connectors. |
| Cloud Resources | Minimal or no direct access to Microsoft Entra cloud resources unless explicitly configured. | Full access to Microsoft Entra-protected cloud resources such as Microsoft 365, Teams, and OneDrive. | Full and direct access to all Microsoft Entra-protected cloud applications and resources. |
| Internet Dependency | No dependency on internet connectivity for authentication; fully functional within corporate network. | Moderate internet dependency for synchronization with Microsoft Entra ID and MDM policy updates. | High dependency on internet connectivity for authentication and device compliance checks. |
| Ideal for | On-premises organizations with minimal cloud integration or strict internal control requirements. | Hybrid Environments | Cloud-first or fully remote organizations that operate primarily using Microsoft Entra ID. |
TruU Authentication Modalities
TruU supports two primary authentication modalities that can be applied across all device join types — FIDO2 (Virtual FIDO Key) and Smartcard / Certificate-Based Authentication (Virtual Smartcard). Each serves a distinct purpose, depending on your organization’s identity architecture and compliance standards.| TruU Aspect | FIDO2 (virtual FIDO key) | Smartcard Cert-Based Auth (virtual smartcard) |
|---|---|---|
| Purpose | Provides a passwordless and phishing-resistant authentication experience that eliminates the need for passwords while ensuring strong cryptographic validation. | Secure, certificate-based authentication using smartcards or tokens. |
| Technology | Based on Public Key Cryptography using open standards — WebAuthn (Web Authentication API) and CTAP (Client to Authenticator Protocol). | X.509 certificates stored on smartcards |
| Standards | Open, global standard developed and maintained by the FIDO Alliance. Supported across Windows, macOS, iOS, Android, and major browsers. | PKI (Public Key Infrastructure) |
| Authentication | Relies on public/private key pairs generated on a FIDO2 authenticator (e.g., USB key, biometrics) | Relies on public / private key pair generated on certificates stored on a smartcard or token |
| Storage | Private keys are stored securely in hardware-backed storage (such as TPM, Secure Enclave, or FIDO2 security key). | Certificates and private keys are stored on the smartcard/TPM |
| Device join type | Supported on Hybrid Joined and Entra ID Joined (Cloud) devices. | Hybrid Azure joined, AD joined, mac |
| Revocation | No traditional certificate revocation process; authentication trust is tied directly to the registered FIDO authenticator. If the authenticator is removed, access is revoked automatically. | Certificates can be revoked via CRLs |
| Setup | Easy to deploy at scale — does not require PKI or certificate issuance infrastructure. Can be rolled out via Intune or MDM with minimal user setup. | Requires PKI infrastructure, certificate management |
WA Configuration Options AD (Domain Joined) - CBA