Azure AD Devices allows corporate mobile (Android and iOS) and Windows devices to join the AAD Domain to access resources. This allows SSO into Microsoft 365 services and AAD applications. Joining of devices can be constrained to just specific users, and administrators can set limits on settings/data sync.
Device management should be facilitated by a separate MDM solution, e.g. InTune or Group Policy.
Hybrid join allows devices access to both a traditional Active Directory forest and an AAD tenant. There are a few steps involved in getting this working:
- Azure AD Connect must synchronise the on-premises AD forest with the AAD tenant.
- Access to some AAD and Microsoft Graph URLs must be allowed from the AD domain controllers.
- A Service Connection Point must be created within the domain, detailing the Azure AD tenant ID and domain name.
- AD FS must be configured to federate with AAD.