Entra Join (The Cloud-Only Path)

Cloud-Only Architecture

Entra Join (No Domain Controllers)

For modern physical devices, the gold standard is 100% Entra Join. This removes the dependency on line-of-sight to a Domain Controller, complex VPNs, and Hybrid sync latency. The device identity lives solely in the cloud.

Instant Intune Enrollment

Unlike Hybrid Join, which requires a GPO to trigger enrollment, Entra Joined devices enroll in Intune automatically the moment they join the directory—provided the MDM User Scope is correctly configured.

Entra Join Deployment Checklist

Because we have removed the sync and GPO layers, this deployment is significantly faster and less prone to retry loops. However, the DNS and Entra configuration prerequisites are strict.

Phase 1: DNS Discovery Records

Devices act as clients that need to discover their management endpoints. Ensure your public and private DNS entries have these records for every UPN suffix in use.

Host Name	enterpriseregistration.[yourdomain.com]
Record Type	CNAME
Value	enterpriseregistration.windows.net
Purpose	Tells the device where to register its identity in Entra ID.

GCC High

Host Name	enterpriseenrollment.[yourdomain.com]
Record Type	CNAME
Value	enterpriseenrollment-s.manage.microsoft.us
Purpose	Tells the device where the GCC High Intune enrollment server is located.

Commercial

Host Name	enterpriseenrollment.[yourdomain.com]
Record Type	CNAME
Value	enterpriseenrollment-s.manage.microsoft.com
Purpose	Tells the device where the Commercial Intune enrollment server is located.

Phase 2: Entra Configuration (The Trigger)

In a cloud-only world, there is no GPO to push enrollment. The MDM User Scope is the only trigger.

• [ ] Configure MDM User Scope:
  • Navigate to Entra ID > Mobility (MDM and MAM) > Microsoft Intune.
  • MDM User Scope: Set to All (or target your device user group).
  • WIP User Scope: Set to None.
    • Warning: If set to "All," enrollment may default to MAM (app management only) rather than full device management.
• [ ] Configure enrollment restrictions:
  • Go to the Microsoft Intune admin center.
  • Navigate to Devices > Enrollment > Device platform restriction.
  • Select the Windows restrictions tab and click Create restriction.
  • Set Name to Block Personally Owned Devices.
  • Set Description to Block enrollment of personally owned devices.
  • Click Next, set Personally owned devices to Block
  • Assign to All users.

Devices are "Personal" by default — designate Corporate devices first

When this restriction is active, Intune blocks enrollment of any device not already designated as Corporate. Devices have no corporate designation until you explicitly assign one. Enabling this restriction without a corporate designation mechanism in place will block all new enrollments.

For Entra Joined devices, there are two supported methods to designate a device as Corporate before enrollment:

• Autopilot registration (recommended): Devices pre-registered through Provisioning with Windows Autopilot are automatically marked Corporate by the Autopilot service at the start of OOBE.
• Corporate identifiers: Upload device serial numbers to Intune > Devices > Enrollment > Corporate device identifiers. Any device whose serial number matches is marked Corporate when it enrolls — no Autopilot infrastructure required.

Phase 3: Verification & Success Indicators

Once the device is joined, verify state before declaring success.

• [ ] Run Verification Command:

  • Open Command Prompt and type: dsregcmd /status

• [ ] Verify Identity State:

  • AzureAdJoined : YES — The device is natively cloud joined.
  • DomainJoined : NO — This is correct for cloud-only. If this says YES, the device was accidentally Hybrid Joined.
  • AzureAdPrt : YES — The user has a valid cloud token.

• Verify Discovery: Scroll down to the Tenant Details section. This is where you verify that the device is pointed at the correct cloud tenant:

GCC High

• MdmUrl: Must point to https://enrollment.manage.microsoft.us/enrollmentserver/discovery.svc
• MdmTouUrl: Must point to https://portal.manage.microsoft.us/TermsofUse.aspx

Critical Sovereign Check

If MdmUrl points to a .com address, the machine is attempting to enroll in Commercial.

Commercial

• MdmUrl: Must point to https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
• MdmTouUrl: Must point to https://portal.manage.microsoft.com/TermsofUse.aspx

Critical Sovereign Check

If MdmUrl points to a .us address, the machine is attempting to enroll in USGov.

• [ ] Visual Verification (Settings):
  • Open Settings > Accounts > Access work or school.
  • You should see the connection to your Entra ID tenant.
  • Click the connection. You should see an Info button.
    • If the Info button is missing: The device is joined but not enrolled. Check the MDM User Scope in Phase 2.

Phishing-Resistant Windows Logon (optional for Entra Join)

For Entra Join, Intune enrollment is interactive and can satisfy standard MFA CA policies without WHfB in place. However, until phishing-resistant Windows logon auth is configured users will receive per-app MFA prompts after each login because the Windows-logon PRT carries no MFA claim.

Configure Windows Hello for Business after enrollment

See Windows Hello for Business Setup & Troubleshooting for Intune policy configuration and diagnostic steps. For the full set of options including PIV cards and FIDO2 NFC keys for constrained environments, see Phishing-Resistant Authentication.

Migrating Existing Machines

Transitioning from Domain or Hybrid Join?

For environments where existing user profiles must be preserved during the transition, see Scenario: Migrating to Entra Join. This checklist covers greenfield deployments only.