Microsoft Entra Join: Ultimate Step-by-Step Guide 2025

The Ultimate Deep-Dive Guide to Microsoft Entra Join in 2025

Everything you need to know — from packets on the wire to production-grade rollout strategies

Welcome to the definitive, no-stone-unturned guide to Microsoft Entra Join in late 2025.

Whether you’re migrating the last 5,000 domain-joined laptops off your aging AD, building a green-field cloud-native org, or just trying to understand why your new Windows 11 device shows “Microsoft Entra registered” instead of “joined”, this post has you covered.

1. The Big Picture – The Three Device Identity States in Microsoft Entra ID

State	Join Type in Portal	Primary Use Case	Can be Intune-managed?	Primary Auth Method	Device Writeback to on-prem AD?
Microsoft Entra registered	Registered	Personal / BYOD	Yes (MDM only)	Workplace Join (WebAccountManager)	No
Microsoft Entra hybrid joined	Hybrid joined	Existing domain-joined + Entra Connect sync	Yes (Co-management)	Kerberos + PRT	Yes
Microsoft Entra joined	Joined	Cloud-native corporate devices	Yes (MDM only)	Primary Refresh Token (PRT) only	No

We are focusing on the third row — pure Microsoft Entra joined.

2. What Actually Happens Under the Hood When You Click “Join”

Here’s the exact sequence (captured December 2025, Windows 11 24H2):

1. User clicks “Join this device to Microsoft Entra ID”
2. Settings app launches ms-enroll:// protocol → opens embedded WebView
3. Redirects to https://login.microsoftonline.com/common/oauth2/authorize
4. User authenticates (MFA, FIDO2, PHV, etc.)
5. Entra ID issues an OAuth2 access token + refresh token with scope DeviceRegistration.Join
6. Client calls Microsoft Device Registration Service (DRS) at https://enterpriseregistration.windows.net
7. DRS validates the user is allowed to join (device join limit, MFA requirements, group membership)
8. TPM 2.0 (or software fallback) creates a new device key pair
   → Attestation certificate + key signed by Microsoft CA chain
9. Device object is created in Entra ID with:

• displayName = current computer name
• deviceId = GUID
• trustType = “Workplace” → immediately flipped to “Azure AD” (now Microsoft Entra joined)”
• certificate thumbprint stored

1. Primary Refresh Token (PRT) is issued and stored in TPM-bound NGSC
2. If automatic MDM enrollment is configured → device immediately calls Intune MDM service and enrolls
3. dsregcmd status now shows AzureAdJoined : YES

3. Prerequisites You Can’t Skip (2025 Edition)

Requirement	Details
OS Build	Windows 10 1809+ or Windows 11 (1709 works but no longer supported)
Edition	Pro, Enterprise, Education, or Windows 11 SE
TPM	TPM 2.0 highly recommended (1.2 works but may hit errors on newer Conditional Access policies)
Internet	Direct outbound 443 to login.microsoftonline.com, enterpriseregistration.windows.net, *.manage.microsoft.com
Licensing	At minimum Microsoft Entra ID P1 (included in Microsoft 365 Business Premium, E3, etc.)
User Rights	Default = 20 devices per user. Can be restricted via Entra → Devices → Device settings

4. Step-by-Step Manual Join (With 2025 Screenshots in Mind)

1. Settings → Accounts → Access work or school → + Connect
2. Choose Join this device to Microsoft Entra ID (big blue button)
3. Enter email → Next
4. Modern authentication window (supports dark mode now)
5. MFA / Passwordless → Approve
6. “Make sure you’re joining the right organization” → shows tenant logo → Join
7. “You’re all set!” → Done
8. Device restarts explorer.exe and you’re done

5. The Single Most Important Setting: Automatic MDM Enrollment

If you skip this, your devices will be Entra joined but unmanaged — the #1 mistake in 2025.

Entra admin center → Identity → Devices → Device settings

Setting	Recommended Value for Pure Cloud Orgs
Users may join devices to Microsoft Entra ID	All or Selected (security group)
Require Multi-Factor Auth to join/register	Yes (unless you have another compensative control)
MDM user scope	All or pilot group
MDM URLs	Auto-filled to Intune
MAM user scope	None (unless you’re doing full MDM)

As soon as MDM user scope is not “None”, every Entra join will trigger automatic Intune enrollment within ~60 seconds.

6. Advanced Verification Commands (Run as Admin)

# Instant status
dsregcmd /status

# Detailed debug (great for support tickets)
dsregcmd /status /debug

# Force re-join if something went wrong
dsregcmd /leave
dsregcmd /join

# Check PRT
dsregcmd /status | findstr "AzureAdPrt"

# Check Intune enrollment
Get-WmiObject -Namespace root\cimv2\mdm\dmmap -Class MDM_Enrollment

7. Bulk & Zero-Touch Alternatives (When Manual Is Not Enough)

Scenario	Recommended Method	Time to Deploy 1,000 Devices
New devices from OEM	Windows Autopilot (OEM or self-deploying)	~2 hours total
Existing corporate devices	Intune provisioning package + bulk token	~1 day
Re-imaging existing devices	Autopilot Reset / WhiteGlove	~4 hours
Kiosk / shared devices	Autopilot self-deploying + Enrollment Status Page	~30 mins per device

8. Migration Path: From Hybrid Join → Pure Entra Join (Most Common 2025 Project)

1. Disable Hybrid Join GPO (Computer Configuration → Administrative Templates → Windows Components → Device Registration)
2. Run offline domain leave: dsregcmd /leave (reboot)
3. Run dsregcmd /join (or manual join)
4. Device flips from “Hybrid joined” → “Microsoft Entra joined”
5. Re-enroll in Intune (automatic if scope is set)

9. Frequently Asked Real-World Issues in 2025

Symptom	Root Cause	Fix
“Something went wrong 0x801c03f2”	TPM attestation failed (firmware bug)	Update BIOS/UEFI + TPM firmware
Device stuck in “Pending” state forever	Conditional Access blocking registration	Exclude “All cloud apps” or add “Device Registration Service”
Intune shows “Not evaluated” for compliance	No PRT because user signed in with local account	User must sign out of OOBE with Entra credentials
Can’t join after reaching 20-device limit	Default limit hit	Increase limit or delete stale devices

You now know more about Microsoft Entra Join than 99 % of IT pros in 2025.

Go forth and liberate those devices from the domain!