Skip to main content

Device Join Modalities

The following table outlines how devices behave in each join type — including how they authenticate, how they are managed, and their access to cloud and on-premises resources.
FeatureActive Directory joinedMicrosoft Entra hybrid joinedMicrosoft Entra joined
What it means
  • Device is joined to on-premises Active Directory.
  • Sign-in requires an Active Directory account.
  • Device is joined to on-premises Active Directory.
  • Device identity is registered/synced to Microsoft Entra ID.
  • Sign-in uses an Active Directory account.
  • Device is joined to Microsoft Entra ID (cloud).
  • Sign-in uses a Microsoft Entra account (or a synced account if applicable).
Authentication
  • Password: Active Directory username and password.
  • TruU Desktop Authenticator: certificate-based authentication.
  • Password: Active Directory username and password.
  • TruU Desktop Authenticator: FIDO2 authenticator (recommended) or certificate-based authentication.
  • Password: synced account username and password (if used).
  • TruU Desktop Authenticator: FIDO2 authenticator.
Management
  • Managed via Group Policy Objects (GPOs) from on-premises Active Directory.
  • Managed via Group Policy and/or Intune policies.
  • Managed through Intune (or another MDM solution) with cloud policy enforcement.
On-premises resources
  • Full, native access to internal resources (file shares, printers, intranet apps).
  • Full access to on-premises resources (Kerberos) because the device maintains an AD trust.
  • Limited/no native access; typically requires VPN/proxy and Kerberos key trust or connectors (as configured).
Cloud resources
  • No Primary Refresh Token (PRT) from Microsoft Entra ID.
  • Seamless sign-in to Microsoft Entra-protected resources is not available.
  • Full access to Microsoft Entra-protected cloud resources (Microsoft 365, Teams, OneDrive).
  • PRT is issued at sign-in.
  • Full, direct access to Microsoft Entra-protected cloud resources (Microsoft 365, Teams, OneDrive).
  • PRT is issued at sign-in.
Internet dependency
  • No dependency for authentication on the corporate network.
  • Moderate dependency for syncing with Microsoft Entra ID and receiving MDM policy updates.
  • High dependency for authentication and device compliance checks.
Ideal for
  • On-premises organizations with minimal cloud integration.
  • Environments requiring strict internal control.
  • Hybrid environments.
  • Cloud-first or fully remote organizations using Microsoft Entra ID.

TruU Authentication Modalities

TruU supports two primary authentication modalities that can be applied across all device join types — FIDO2 (Virtual FIDO Key) and Smartcard / Certificate-Based Authentication (Virtual Smartcard). Each serves a distinct purpose, depending on your organization’s identity architecture and compliance standards.
TruU FIDO2 Authenticator (virtual FIDO key)TruU Smartcard CBA (virtual smartcard)
Purpose
  • Passwordless, phishing-resistant user sign-in.
  • Strong cryptographic validation without passwords.
  • Certificate-based authentication using smartcard credentials.
  • Common fit for PKI / smartcard environments.
Technology
  • FIDO2 / WebAuthn + CTAP.
  • Public/private key pairs protected by device security (e.g., TPM).
  • X.509 certificates (PKI).
  • Keys/certs stored on smartcard/virtual smartcard (TPM-backed).
Standards
  • Open FIDO Alliance standard.
  • Broad OS and browser support.
  • PKI-based authentication model.
Authentication
  • User validates via TruU FIDO2 Authenticator using biometrics or PIN.
  • FIDO2 assertion is used for sign-in where configured.
  • User authenticates with a smartcard certificate.
  • Fits Windows smartcard logon / certificate flows.
Device join type
  • Supported: Microsoft Entra hybrid joined and Microsoft Entra joined devices.
  • Not intended: Active Directory joined only (AD-only) devices.
  • Recommended: Active Directory joined (AD-only) devices for smartcard/CBA logon needs.
  • Supported (with prerequisites): Microsoft Entra hybrid joined (see prerequisites/notes).
On-premises resource access
  • Hybrid joined: Access via AD trust/Kerberos as normal.
  • Entra joined: on-prem access requires Kerberos key trust to obtain Kerberos tickets for AD resources.
  • AD joined: native access to on-prem resources.
  • Hybrid joined: can access on-prem resources.
Revocation
  • No certificate revocation (CRL/OCSP) lifecycle.
  • Remove/disable the registered authenticator to block usage.
  • Certificate revocation via CRLs/OCSP per PKI policy.
Deployment / operations
  • Typically, simpler at scale.
  • Managed through endpoint and identity policy (e.g., Intune + Entra policies).
  • Requires PKI: certificate issuance, renewal, and lifecycle management.
rerequisites / notes
  • Enable TruU FIDO2 Keys in Entra ID.
  • Hybrid Entra Joined: Configuring Cloud Kerberos Trust with Microsoft Entra ID is required to user TruU FIDO2 authenticator with Hybrid Entra Joined devices.
  • Entra joined: Optional - To access on-prem resources, you need Cloud Kerberos Trust (plus network path such as VPN/proxy as applicable).
  • AD joined: smartcard/CBA is the recommended option when certificate-based logon is required.
  • Hybrid joined: to use CBA and still get a PRT for seamless SSO to Microsoft 365/Office apps, enable Microsoft Entra ID CBA (per Entra policy) for Entra ID apps apps can obtain PRT-based SSO.
Image
TruU’s support for both FIDO2 and Smartcard-based authentication ensures compatibility with diverse enterprise environments. Organizations can adopt passwordless authentication at their own pace, aligning with existing infrastructure and compliance goals.
WA Configuration Options AD (Domain Joined) - CBA