Microsoft Entra Device Registration (Adding a Work or School Account)
Microsoft is rebranding Azure AD to Entra ID. Linked articles may reference either name.
Table of Contents: Benefits of Microsoft Entra Device Registration | How to Enroll/Register your Device | How to Unenroll your Device | Un-Joining from Entra ID
Before we get into the details, let's go over the different scenarios wherein a device is associated with the University in Azure AD (now known as Entra ID).
For reference, when a user chooses to 'add a work or school account', their device is typically considered Microsoft Entra Registered.
|Microsoft Entra Registered||Microsoft Entra Joined||Microsoft Entra Hybrid Joined|
|Device Ownership||Personally owned||University-owned||University-owned|
|How you sign into the device||
Local account or personal Microsoft account
University credentials (NetID@illinois.edu)
University credentials (UOFI\NetID)
|Provisioning||Can be set up by the user via Settings or during the sign-in process to certain Microsoft products.||
Can be set up by the the user via Settings or Windows Out of Box Experience (OOBE)
|Joined to the on-premises Active Directory (AD) by IT Pro, then auto joined to Entra ID via Microsoft Entra Connect.|
|OS Support||Windows 10+, iOS, macOS, Ubuntu||Windows 10+||Windows 8.1+ and Windows Server 2012 R2+|
This table is also included in the following KB: [Link for document 131534 is unavailable at this time].
Note: If you accidentally joined your personal device to Entra ID (you sign into the device with your University credentials), please click here.
The main benefit that users will see when registering their device is Single Sign-On (SSO) to university resources. This is done via a Primary Refresh Token (PRT). If you want to read about the technical details, Microsoft documentation on Primary Refresh Tokens can be found here (link).
When you access University resources such as Microsoft 365 (Outlook, Teams, Word, etc), Canvas, Zoom, Box, or many others, you will not have to enter your password each time.
This is because, after you initially registered your device by authenticating with your sign-in information, your device automatically, silently, and securely authenticates on your behalf. Essentially, the PRT is an encrypted token that securely ties your user and device identity to Entra ID. Because of the security of the token, it is valid for a long time and continuously refreshes as long as you actively use the device. There are situations where your Primary Refresh Token (PRT) is invalidated, most commonly when a user does a password change. When this happens, you will be prompted to sign in again. Afterwards, the PRT will once again handle authentications for you.
For users of University-managed devices that are Microsoft Entra Joined or Hybrid Joined, SSO is possible to on-premises resources as well. Line-of-sight to the campus network required; talk to your IT Pro or read this Microsoft document for more information.
Because registering your device creates trust between our directory and your device, we want to make sure your device is secure. Our Security and Endpoint Management teams have set up policies that will give user's devices a good security baseline. Users may choose to allow management of their device during the device registration process by checking the box labeled Allow my organization to manage my device. Information on policies deployed can be found here: [Link for document 131534 is unavailable at this time]. These policies do not allow the University to access personal data stored on your device; they configure certain settings to make sure that your device and data are kept secure. Access to certain University resources or applications may require Device Management policies to be applied to the device.
What if I want to remove device management policies from my computer?
Information can be found below (How to Unenroll your Device).
Afterwards, if you would like to re-gain benefits such as passwordless SSO, but do not want device management policies: During device registration you can un-check the box to allow the organization to manage your device.
Conditional Access Policies
Allows for access to sensitive resources that are secured by device-based Conditional Access policies.
If you have BitLocker enabled, your recovery key can be backed up to Entra ID. This gives you an additional method to get back into your computer. To view your registered devices and any backed up recovery keys, visit your MyAccount page.
Please note: If you unenroll your device, your BitLocker recovery key will be deleted from Entra ID. For this reason, we recommend backing up your recovery key in an additional location such as a USB key or printout. Neither we nor Microsoft support are able to provide, or recreate, a lost BitLocker recovery key. See this link for more information.
You can initiate device registration via the Settings app. Simply go to Settings -> Accounts -> Access work or school. Then select Connect from the Access work or school screen. You can also go through the device registration process by signing into a Microsoft application with your University credentials. This can be the Edge browser, Office 365, Teams, or several others.
You will be prompted to authenticated with your University credentials, and will be asked if you want to allow your organization to manage your device. See above for more information.
Instructions for unenrolling devices can be found at this KB article: Microsoft 365, How do I undo the "Allow my organization to manage my device" setting?.
Afterwards, if you would like to re-gain benefits such as passwordless SSO, but do not want device management policies: During device registration you can uncheck the box to allow the organization to manage your device.
NOTE: As mentioned above, if your BitLocker Recovery Keys are backed up to Entra ID, they will be deleted from our directory once you unenroll your device. We highly recommend backing up your recovery key in an additional location (such as your personal Microsoft account), as we cannot provide BitLocker Recovery Keys once they are deleted.
What if you accidentally Microsoft Entra Joined your personal device? (You sign into your device using your University credentials)
Joining your device to Entra ID (referenced at the top of the page) is meant for devices belonging to the University (such as a work laptop provided by your IT Pro) and allows a user to sign in with their University credentials.
However, it is possible for users to mistakenly join their personal device, either through the Windows Out of Box Experience (OOBE) or via Settings in Windows 10 or 11 (except Home editions). More information can be found here.
Instructions for undoing this can be found at this KB article: Microsoft 365, How do I undo the "Allow my organization to manage my device" setting?.