Merge pull request #53392 from MicrosoftDocs/main

Auto Publish – main to live - 2026-02-08 00:00 UTC

Author: learn-build-service-prod[bot]

.openpublishing.redirection.json

@@ -115,6 +115,11 @@
       "redirect_url": "https://learn.microsoft.com/azure/?product=popular",
       "redirect_document_id": false
     },
+    {
+      "source_path": "learn-pr/device-partner-university/introduction-to-entra-id/9-entra-id-autopilot.yml",
+      "redirect_url": "/training/modules/introduction-to-entra-id/9-tenant-id",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/learn-pr/azure/gain-insights-data-kusto-query-language/10-knowledge-check.yml",
        "redirect_url": "https://learn.microsoft.com/azure/?product=popular",

…ion-to-entra-id/9-entra-id-autopilot.yml …introduction-to-entra-id/9-tenant-id.ymllearn-pr/device-partner-university/introduction-to-entra-id/9-entra-id-autopilot.yml renamed to learn-pr/device-partner-university/introduction-to-entra-id/9-tenant-id.yml learn-pr/device-partner-university/introduction-to-entra-id/9-entra-id-autopilot.yml renamed to learn-pr/device-partner-university/introduction-to-entra-id/9-tenant-id.yml

@@ -1,13 +1,13 @@
 ### YamlMime:ModuleUnit
-uid: learn.dpu.introduction-to-entra-id.entra-id-autopilot
-title: Entra ID and Autopilot
+uid: learn.dpu.introduction-to-entra-id.tenant-id
+title: Microsoft Entra tenants and tenant IDs
 metadata:
-  title: Entra ID And Autopilot
+  title: Microsoft Entra Tenants and Tenant IDs
   description: This content is part of the "Introduction to Microsoft Entra ID" module.
   ms.date: 08/28/2025
   author: Stephanie-Rosenzweig
   ms.author: v-stephanier
   ms.topic: unit
 durationInMinutes: 1
 content: |
-  [!include[](includes/9-entra-id-autopilot.md)]
+  [!include[](includes/9-tenant-id.md)]

learn-pr/device-partner-university/introduction-to-entra-id/includes/10-device-identities.md

@@ -8,7 +8,7 @@ There are three primary methods for acquiring a device identity. These methods c
 
 ### Entra registration
 
-[Entra registration](/entra/identity/devices/concept-device-registration) enables employees to securely connect personal devices to organizational resources. This method is intended for bring-your-own-device (BYOD) scenarios. Devices can be registered with Entra ID without requiring an organizational account for device sign-in.
+[Entra registration](/entra/identity/devices/concept-device-registration) enables employees to securely connect personal devices to organizational resources. This method is intended for bring-your-own-device (BYOD) scenarios. Devices can be registered with Entra ID without requiring users to sign in to the device with an organizational account. The device is still associated with the organization and can be managed through Entra ID and Conditional Access policies.
 
 Instead, users may sign in using a local account, such as a Microsoft account, on Windows 10 or later. Once registered, the device is associated with an Entra account, which governs access to organizational resources. Access can be restricted based on Conditional Access policies applied to the device identity.
 
@@ -21,14 +21,26 @@ Entra registration can occur automatically when a user accesses a work applicati
 
 ### Entra join
 
-[Entra Join](/entra/identity/devices/concept-directory-join) allows organizations to deployed devices that are recognized and managed by Entra ID. This method is suitable for organizations of any size or industry and is compatible with hybrid environments.
+[Entra Join](/entra/identity/devices/concept-directory-join) allows organizations to register devices with Microsoft Entra ID, so the devices are recognized as part of the organization. This method is suitable for organizations of any size or industry and is compatible with hybrid environments.
 
 Entra joined devices authenticate through Entra ID rather than a traditional domain controller. Access to resources is governed by the Entra account and Conditional Access policies applied to the device.
 
-For implementation guidance, refer to [implementing Entra join](/entra/identity/devices/device-join-plan) on Microsoft Docs.
+For implementation guidance, refer to [implementing Entra join](/entra/identity/devices/device-join-plan) on Microsoft Learn.
+
+> [!NOTE]
+> Entra Join itself does not manage device settings or policies. Management of the device’s configuration and security is handled by tools such as Microsoft Intune or Configuration Manager.
+
+### Autopilot device registration
+
+When a device is registered through Windows Autopilot, it's recognized as a corporate-owned device. This ensures that Autopilot profiles that mandate settings, like device naming conventions and whether the user is a local administrator, are applied automatically during provisioning.
+
+> [!NOTE]
+> Autopilot registration does not by itself control access to apps or services—it simply identifies the device as corporate‑owned and applies the assigned Autopilot provisioning settings.
+
+Without a valid Entra device identity—whether through Entra Join, Entra Hybrid Join, or Entra registration—features such as multifactor authentication (MFA) and single sign-on (SSO) won’t function properly. As a result, users may be unable to authenticate or access organizational resources.
 
 ### Entra hybrid join
 
-[Entra hybrid join](/entra/identity/devices/concept-hybrid-join) is a transitional approach for organizations with existing Active Directory (AD) infrastructures are connected to an on-premises AD and registered with Entra ID, enabling access to selected cloud capabilities. These devices require periodic network connectivity to on-premises domain controllers. If maintaining this connection is a concern, organizations should consider transitioning to Entra join.
+[Entra hybrid joined devices](/entra/identity/devices/concept-hybrid-join) are connected to an on-premises Active Directory (AD) and registered with Microsoft Entra ID. This transitional approach enables organizations to maintain existing on-premises processes while gaining access to selected cloud capabilities. These devices require periodic network connectivity to on-premises domain controllers. Organizations should consider accelerating their journey to cloud-native Windows and adopting Entra join sooner rather than later, even if maintaining connectivity to on-premises Active Directory is not a concern.
 
 For implementation guidance, refer to [implementing Entra hybrid join](/entra/identity/devices/hybrid-join-plan).

learn-pr/device-partner-university/introduction-to-entra-id/includes/11-how-use-entra-id.md

@@ -53,7 +53,7 @@ For more information, refer to the documentation on [member and guest users](/en
 
 ## Directions for groups
 
-Microsoft Entra groups are used to manage collections of users who require the same access permissions to organizational resources, such as restricted applications and services. Group-based access management allows resource owners or Entra directory administrators to assign a consistent set of permissions to all members of a group.
+Microsoft Entra groups can include users or devices and are used to simplify access and management. For users, groups allow administrators or resource owners to assign consistent access permissions to organizational resources, such as applications and services. For devices, groups are primarily used to target policies from tools like Microsoft Intune, Microsoft Defender for Endpoint (MDE), or Microsoft Purview. User groups can also be used to target management policies, just like device groups.
 
 Administrators can also delegate group membership management to designated individuals, such as department managers or help desk personnel. These delegated users can add or remove group members as needed.
 

learn-pr/device-partner-university/introduction-to-entra-id/includes/3-strong-authentication.md

@@ -1,6 +1,6 @@
 Single sign-on (SSO) enables users to authenticate once and gain access to multiple applications without repeated credential entry. This approach simplifies access and reduces password fatigue, contributing to improved security and user efficiency.
 
-Multifactor authentication (MFA) enhances security by requiring two or more verification factors during sign-in. For example, users may be prompted to provide both a password and a biometric identifier or a time-based code from an authenticator application. MFA mitigates risks associated with compromised credentials by enforcing additional verification steps.
+Multifactor authentication (MFA) enhances security by requiring two or more verification factors during sign-in. For example, users might enter a password and then confirm the sign-in using the Microsoft Authenticator app on their smartphone or a FIDO2 security key, or a biometric factor such as a fingerprint or facial recognition. MFA helps reduce the risk of compromised credentials by requiring additional verification beyond a username and password.
 
 Microsoft Entra ID supports passwordless authentication through alternative methods such as biometrics via Windows Hello for Business, time-based codes from the Microsoft Authenticator app, and FIDO2 security keys. These methods reduce reliance on passwords and lower the risk of credential theft.
 

learn-pr/device-partner-university/introduction-to-entra-id/includes/4-risk-based-conditional-access.md

@@ -1,8 +1,8 @@
-Conditional Access in Microsoft Entra ID uses signals from various sources—including IP location and real-time risk detection—to evaluate access requests and enforce organizational policies. Based on these signals, the system can grant or deny access or require additional verification steps to ensure that only authorized users under appropriate conditions can access sensitive resources.
+Conditional Access in Microsoft Entra ID uses signals from various sources—including IP location, device compliance status, and real-time risk detection—to evaluate access requests and enforce organizational policies. Based on these signals, the system can grant or deny access or require additional verification steps to ensure that only authorized users under appropriate conditions can access sensitive resources.
 
 ## Define access criteria
 
-Conditional Access policies operate as logical if-then statements. For example, if a user attempts to access a resource such as Microsoft 365, then they must complete a specified action, such as multifactor authentication (MFA).
+Conditional Access policies operate as logical if-then statements. For example, if a user attempts to access a resource such as Microsoft 365, then they—or the device they are using—must meet specific, pre-defined criteria, such as completing multifactor authentication (MFA), using a compliant device, or accessing from a trusted location.
 
 Administrators can configure these policies manually or use predefined templates available in the Microsoft Entra admin center. Policies can also be created programmatically using the Microsoft Graph API.
 

learn-pr/device-partner-university/introduction-to-entra-id/includes/6-recommendations.md

@@ -4,7 +4,10 @@ Organizations aren't required to replace all existing devices immediately. Howev
 
 As a transitional step toward full cloud enablement, existing devices can be enrolled in co-management and connected to cloud identities using Entra hybrid join.
 
-Entra hybrid joined devices are simultaneously connected to an on-premises Active Directory (AD) and registered with Microsoft Entra ID. This configuration allows organizations to use selected cloud features while maintaining compatibility with existing infrastructure.
+> [!NOTE]
+> Co-management is when a device is managed simultaneously by both Microsoft Configuration Manager and Microsoft Intune. This allows organizations to gradually shift device management to the cloud while maintaining existing on-premises controls. Co-management provides flexibility to choose which workloads are managed by Intune versus Configuration Manager, enables pilot testing with select devices, and unlocks cloud-powered capabilities such as Conditional Access and modern provisioning with Windows Autopilot.
+
+Entra hybrid joined devices are simultaneously connected to an on-premises Active Directory (AD) and registered with Microsoft Entra ID. This configuration allows organizations to use selected cloud features while maintaining existing processes and progressing on their cloud journey.
 
 When organizations are ready to upgrade hardware, they can transition to new or refurbished cloud-native devices.
 
@@ -16,33 +19,22 @@ These devices are provisioned using Windows Autopilot, joined directly to Entra
 >
 >The recommended approach is to integrate devices with Microsoft Entra ID and manage them using cloud-based tools. This enables organizations to optimize resource management, improve operational efficiency, and maintain competitiveness.
 
+The recommended approach is to integrate devices with Microsoft Entra ID and manage them using cloud-based tools. This enables organizations to optimize resource management, improve operational efficiency, and maintain competitiveness. Entra join doesn't prevent access to on-premises resources, and organizations transitioning to cloud-native Windows can continue to use on-premises Active Directory for applications or services that require it.
+
 ## User scenarios
 
-Use Entra join when you're:
-
-- Transitioning to cloud-based infrastructure using Microsoft Entra ID and Microsoft Intune.
-- Managing mobile devices such as tablets and smartphones where on-premises domain join isn't feasible.
-- Providing access for users who primarily utilize Microsoft 365 or other SaaS applications integrated with Entra ID.
-- Managing user groups directly in Entra ID rather than Active Directory (AD), which is beneficial for roles such as seasonal workers, contractors, or students.
-- Enabling device join capabilities for remote or home-based workers with limited access to on-premises infrastructure.
-- Provisioning new or reset devices using Windows Autopilot, supporting scenarios such as drop-shipping, self-service setup, and accelerated deployment timelines.
-
-Use Entra hybrid join when you:
-
-- Require continued use of Group Policy for device configuration management.
-- Intend to maintain existing imaging-based deployment processes.
-- Have legacy Win32 applications that rely on AD-based machine authentication.
-
-| Feature / aspect                 | Entra Join (Azure AD Join)                              | Entra Hybrid Join (Hybrid Azure AD Join)                  |
-|----------------------------------|----------------------------------------------------------|------------------------------------------------------------|
-| Target devices                   | Devices owned by the organization, typically cloud-first | Domain-joined devices managed on-premises                  |
-| Primary use case                 | Cloud-native environments                                | Organizations with existing on-premises Active Directory       |
-| Device ownership                 | Organization-owned or BYOD                               | Organization-owned                                         |
-| Directory dependency             | Microsoft Entra ID only                                  | Requires both on-premises AD and Microsoft Entra ID            |
-| Join process                     | Joined directly to Entra ID during setup                 | Joined to on-premises AD first, then registered with Entra ID  |
-| Management tools                 | Intune, Endpoint Manager                                 | Group Policy, SCCM, Intune                                 |
-| User sign-in experience          | Entra ID credentials                                     | AD credentials (with Entra ID token sync)                  |
-| SSO (single sign-on)             | Full SSO to cloud resources                              | SSO to both on-premises and cloud resources                    |
-| Conditional access support       | Full support                                             | Full support                                               |
-| Windows Autopilot support        | Fully supported                                          | Limited (requires additional configuration)                |
-| Best for                         | Cloud-first or cloud-only organizations                  | Hybrid environments transitioning to cloud                 |
+Entra join is the preferred choice for connecting devices to Microsoft Entra ID. It supports cloud-first management, enables modern provisioning with Windows Autopilot, and integrates seamlessly with Microsoft Intune and Microsoft 365 applications.
+
+That said, some devices or environments might require on-premises or hybrid join, such as:
+
+- Air-gapped networks or devices.
+- Devices running applications with nonstandard authentication mechanisms that depend on on-premises Active Directory.
+- Organizational or regulatory requirements that mandate on-premises management.
+
+Using on-premises or hybrid join for a subset of devices doesn't limit your entire environment. Organizations can mix device join types as needed while keeping Entra join as the default.
+
+| Feature / aspect           | Entra Join (Azure AD Join) | Entra Hybrid Join (Hybrid Azure AD Join)  |
+| -------------------------- | -------------------------- | ----------------------------------------- |
+| User sign-in experience    | Entra ID credentials       | AD credentials (with Entra ID token sync) |
+| Conditional Access support | Full support               | Full support                              |
+| Windows Autopilot support  | Fully supported            | Limited (generally **not recommended**)   |

learn-pr/device-partner-university/introduction-to-entra-id/includes/9-entra-id-autopilot.md

@@ -0,0 +1,7 @@
+Azure subscriptions have a trust relationship with Microsoft Entra ID, which authenticates users, services, and devices. Each subscription is linked to a specific Microsoft Entra tenant, identified by a unique tenant ID. There are several ways to [find the tenant ID](/entra/fundamentals/how-to-find-tenant#find-tenant-id-through-the-microsoft-entra-admin-center) associated with an Azure subscription. For guidance on [how to create a new tenant](/entra/identity-platform/quickstart-create-new-tenant#create-a-new-microsoft-entra-tenant), refer to the Microsoft Entra documentation.
+
+## Helpful definitions
+
+An [Entra tenant](/microsoft-365/education/deploy/intro-azure-active-directory#what-is-a-microsoft-entra-tenant) is a security boundary under an organization’s control. Within this boundary, administrators can manage directory objects (such as users and groups) and configure tenant-wide settings.
+
+A [service principal](/entra/identity-platform/app-objects-and-service-principals?toc=%2Fazure%2Factive-directory%2Fworkload-identities%2Ftoc.json&bc=%2Fazure%2Factive-directory%2Fworkload-identities%2Fbreadcrumb%2Ftoc.json&tabs=browser#service-principal-object) represents an application’s identity in a Microsoft Entra tenant. It defines the permissions and access policies the application uses to authenticate and access resources. Service principals are commonly used when apps or automation tools need to securely access Microsoft cloud services without requiring a user to sign in.