Microsoft Entra Device Registration (Adding a Work or School Account)

Microsoft Entra device registration seamlessly enables a variety of Microsoft technologies that make connecting to University resources easier. This article describes Microsoft Entra device registration, including the benefits, what happens behind the scenes, and how to un-enroll.

Microsoft is rebranding Azure AD to Entra ID. Linked articles may reference either name.

Table of Contents: Benefits of Microsoft Entra Device Registration | How to Enroll/Register your Device | How to Unenroll your Device | Un-Joining from Entra ID

Introduction

Before we get into the details, let's go over the different scenarios wherein a device is associated with the University in Azure AD (now known as Entra ID).

For reference, when a user chooses to 'add a work or school account', their device is typically considered Microsoft Entra Registered.

Microsoft Entra Registered Microsoft Entra Joined Microsoft Entra Hybrid Joined
Device Ownership Personally owned University-owned University-owned
How you sign into the device

Local account or personal Microsoft account

University credentials (NetID@illinois.edu)

University credentials (UOFI\NetID)

Provisioning Can be set up by the user via Settings or during the sign-in process to certain Microsoft products.

Can be set up by the the user via Settings or Windows Out of Box Experience (OOBE)

Joined to the on-premises Active Directory (AD) by IT Pro, then auto joined to Entra ID via Microsoft Entra Connect.
Benefits
  • Single sign-on (SSO) to cloud resources such as Microsoft 365 or Shibboleth (Canvas, Zoom, Box, etc.
  • See below for more information.
  • Single sign-on (SSO) to both cloud and on-premises resources.
  • See below for more information.
  • Single sign-on (SSO) to both cloud and on-premises resources.
  • See below for more information.
OS Support Windows 10 and above, iOS, macOS, Ubuntu Windows 10 and above Windows 8.1 and above, and Windows Server 2012 R2 and above
More information: Link Link Link

This table is also included in the following KB: [Link for document 131534 is unavailable at this time].

Note: If you accidentally joined your personal device to Entra ID (you sign into the device with your University credentials), please click here.

Benefits of Microsoft Entra Device Registration

Passwordless!

The main benefit that users will see when registering their device is Single Sign-On (SSO) to university resources. This is done via a Primary Refresh Token (PRT). If you want to read about the technical details, Microsoft documentation on Primary Refresh Tokens can be found here (link).

When you access University resources such as Microsoft 365 (Outlook, Teams, Word, etc), Canvas, Zoom, Box, or many others, you will not have to enter your password each time.

This is because, after you initially registered your device by authenticating with your sign-in information, your device automatically, silently, and securely authenticates on your behalf. Essentially, the PRT is an encrypted token that securely ties your user and device identity to Entra ID. Because of the security of the token, it is valid for a long time and continuously refreshes as long as you actively use the device. There are situations where your Primary Refresh Token (PRT) is invalidated, most commonly when a user does a password change. When this happens, you will be prompted to sign in again. Afterwards, the PRT will once again handle authentications for you. 

For users of University-managed devices that are Microsoft Entra Joined or Hybrid Joined, SSO is possible to on-premises resources as well. Line-of-sight to the campus network required; talk to your IT Pro or read this Microsoft document for more information.

Enhanced Device Security via Device Management Policies

Because registering your device creates trust between our directory and your device, we want to make sure your device is secure. The Microsoft default settings will be applied. The Security and Endpoint Management teams are in the process of updating and maintaining those baselines.

What if I want to remove device management policies from my computer?

Information can be found below (How to Unenroll your Device).

Afterwards, if you would like to re-gain benefits such as passwordless SSO, but do not want device management policies: During device registration you can un-check the box to allow the organization to manage your device.

Conditional Access Policies

Allows for access to sensitive resources that are secured by device-based Conditional Access policies.

BitLocker Recovery Key Backup

If you have BitLocker enabled, your recovery key can be backed up to Entra ID. This gives you an additional method to get back into your computer. To view your registered devices and any backed up recovery keys, visit your MyAccount page.

Please note: If you unenroll your device, your BitLocker recovery key will be deleted from Entra ID. For this reason, we recommend backing up your recovery key in an additional location such as a USB key or printout. Neither we nor Microsoft support are able to provide, or recreate, a lost BitLocker recovery key. See this link for more information.

How to Enroll/Register your Device

Windows Devices

You can initiate device registration via the Settings app. Simply go to Settings -> Accounts -> Access work or school. Then select Connect from the Access work or school screen. You can also go through the device registration process by signing into a Microsoft application with your University credentials. This can be the Edge browser, Office 365, Teams, or several others.

You will be prompted to authenticated with your University credentials, and will be asked if you want to allow your organization to manage your device. See above for more information.

How to Unenroll your Device

Instructions for unenrolling devices can be found at this KB article: Microsoft 365, How do I undo the "Allow my organization to manage my device" setting?.

Afterwards, if you would like to re-gain benefits such as passwordless SSO, but do not want device management policies: During device registration you can uncheck the box to allow the organization to manage your device.

NOTE: As mentioned above, if your BitLocker Recovery Keys are backed up to Entra ID, they will be deleted from our directory once you unenroll your device. We highly recommend backing up your recovery key in an additional location (such as your personal Microsoft account), as we cannot provide BitLocker Recovery Keys once they are deleted.

What if you accidentally Microsoft Entra Joined your personal device? (You sign into your device using your University credentials)

Joining your device to Entra ID (referenced at the top of the page) is meant for devices belonging to the University (such as a work laptop provided by your IT Pro) and allows a user to sign in with their University credentials.

However, it is possible for users to mistakenly join their personal device, either through the Windows Out of Box Experience (OOBE) or via Settings in Windows 10 or 11 (except Home editions). More information can be found here.

Instructions for undoing this can be found at this KB article: Microsoft 365, How do I undo the "Allow my organization to manage my device" setting?.



Keywords:
azuread azure ad entra id registration join work school organization intune mdm policies 
Doc ID:
131691
Owned by:
Identity and Access Management in University of Illinois Technology Services
Created:
2023-09-25
Updated:
2024-05-08
Sites:
University of Illinois Technology Services